December 2nd, 2022

Community Safety Notice

Dear Hathorpay Community,

Thank you for your patience during our code security audit these last few weeks.

The audit is now complete and we have discovered the source of the vulnerability affecting Hathorpay users (exclusively). 

The official Hathor wallets and Exchange wallets do not appear to have any issues.

The vulnerability allowed an attacker to decrypt the user's seed phrase stored in the browser memory via means of phishing and infected link or content. We have not yet identified which website, content, or phishing link the attacker used to exploit this vulnerability. For this reason, we strongly recommend not using Hathorpay anymore until this is addressed and a new patched and open source version is released. We will be delisting Hathorpay from the Chrome store for the time being (as per the Hathorpay User License Agreement) until a fixed version is available. Our team is now working with the third-party engineering team that conducted the code audit to estimate the work to perform the fixes to the existing wallet code.

Since our team is a bootstrapped team with a limited budget for development and operations, we have no means of rescuing users who have been impacted by this vulnerability. Over the last 18 months, we’ve spent significant sums learning and building on the network as community members. As a result, this critical issue has greatly impacted our scheduled roadmap and has set us back by months of development/efforts/budget. Furthermore, members of our own team have been impacted by this same vulnerability. We understand how unpleasant this is to read as a user who trusted our service to be bug-free. We understand that this impacts the technical integrity of any future releases of Hathorpay, but we will do our best to earn back Hathorpay users’ trust in the long-term if and when we are able to release a new version. 

As you may know, building on a new blockchain with no prior similar solutions to model after incurs its own set of risks.  Going forward, any work done by our team will undergo more than one code audit before launch - as this seems to be a necessary practice when building on such a novel blockchain network. Beyond that, our tech team will be revised based on suboptimal outcomes over the last 18 months when it comes to launching production-ready defi solutions on Hathor. Building on EVM chains is not at all the same as building on UXTO chains, and we’ve come to learn this the hard way.

Plan going forward

We currently have to put all of our development efforts on pause due to budget constraints caused by this setback. We will seek grants to help fund development of a new version, but cannot make any promises at this time. If we do and a new stable version is released, it would be fully open sourced free day 1 to become a community project. In such a case, we would only oversee development of the open sourced version.

Notifying CEXs

Our team will be creating a list of the transactions corresponding to reported hacks and forwarding them to popular exchanges that list HTR in the hope that they flag/disable any accounts that had missing funds routed to them from the attacker(s). We can make no promises as to whether or not CEXs will do anything with the information we provide them. Please use the form on this page to submit details to our team if you have been impacted by this vulnerability.

Lifetime Customers

The plan is to re-issue Lifetime plans to customers via a membership NFT in the event that the new version of Hathorpay is ready to be deployed and open sourced. For the time being, Lifetime customers’ accounts IDs have been snapshotted for this possible future date. We will make a post highlighting the distribution of these membership NFTs if/when such a time arrives as well as the process for claiming them.

Conclusion

Our team apologizes for the events that transpired and will ensure to complete code audits with multiple firms on any new product release.

Thank you,

Team Htrfdt

Have you been affected?

Please provide the transaction ID corresponding to a transaction where your wallet was drained by the attacker