Post Mortem.

Justin Bebis
4 min readSep 13, 2021

--

I’d place this day firmly among the worst of my life, and it pains me more than I can describe to write this article. Selfishly enough, I fear for my life and for my future. I fear the wave of vitriol that I know will crash down on myself and my partners and the damage that’s about to be dealt to all this work we’ve poured our blood, sweat, and tears into making Reaper.Farm.

As of this evening, after hours and hours of hacking at our vaults and strategies, we’ve deemed about $2,000,000 locked into our FTM, USDC, DAI, BTC, and ETH single-sided crypts unsalvageable by our team. fUSDT is safe and users in there should be able to withdraw without issue. We’ve reached out to other teams and security professionals for second opinions, but felt that now was the right time to let you all know what’s been going on.

I wish I had some elaborate writeup for you, filled with intrigue and crazy jargon, but this wasn’t anything more than a simple mistake leading to not-so-simple consequences.

After testing our contracts, we accidentally deleted a line of vital code while we were removing our console logs. After final deployment, deposits, withdrawals, and harvests were working just fine. We’d been testing this system for weeks at this point, and were simply relieved that we were finally finished.

Obviously, the job wasn’t done.

When users with more than a couple thousand dollars tried to withdraw, transactions failed. It didn’t make much sense to us — we thought Javascript was messing up our decimal inputs. Withdrawing worked fine for us in smaller quantities.

Unfortunately, a line of code that managed the funds available for withdrawal was removed from the strategy, and we were unable to deleverage and return everyone’s funds due to a mis-implementation of our failsafes.

My lack of oversight was a big contributor to this loss. We’ve set strict standards for ourselves to prevent things like this, and today we saw how the simplest mistakes can sneak through when you don’t anticipate them. From the bottom of my heart, I’m truly sorry. I would give anything to go back in time and double check those contracts the other day but unfortunately that isn’t possible, so we need to think of a means to remedy this situation.

Remediation

I know the only way we can move past this traumatizing day is by making all of our users whole again, and I’d like to present some ideas for doing so. We can hopefully compose these into a solution that will keep everyone happy.

Compensation Vault: This is a common method of compensating victims of hacks and exploits, and involves devoting a percentage of our profit to a vault which each user will receive a share of based on the amount of funds they lost. We’d try to pay all of our users back within a year, including standard interest.

Token Promises: A tough part of this is we don’t have much money as a team, as we’ve never released a token or raised funds. In the future, however, we are likely to have a token which should fix this problem. If the community can decide on a valuation, we’d be able to set aside tokens to compensate users when we launch, with much higher interest than if we were to pay in other assets.

Leveraging our Treasury: The Reaper treasury currently has around $300,000 saved inside of a FTM-USDC crypt position. We planned on using this to pay for audits, but could collateralize a loan with it or even use it straight up to pay out a portion of the funds lost.

Please let us know if you have any ideas. I understand that these risks are inherent to defi, but I don’t think any of you should pay for mistakes made by our team.

Going Forward

In working through the tsunami of stress today, we’ve come up with about one million different ways we fell short. Working in this industry during a bull cycle is about the most stressful thing I can think of, and today was a culmination of everything we’ve let fall by the wayside trying to keep up with endless demand for new products and features. Myself and Goober were each working on 3 things at once and were putting pedal to the metal trying to pull everything together. Idiotic, in hindsight, to work on more than a single system when so much money is at stake.

It’s becoming painfully obvious that we don’t have the manpower to compete with other compounding platforms AND develop unique defi primitives. Pushing ourselves to do so will kill us. Today has been dark. I’ve thought about quitting Reaper, Byte Masons, Defi, Life. I want to be a security professional and a kickass programmer and now I can’t think of myself as anything other than a failure.

I’m sorry.

--

--

Justin Bebis
Justin Bebis

Written by Justin Bebis

Smart Contract engineer focused on high-performance blockchain networks

Responses (2)