Mitigated Security Incident, January 15th 2024 – No funds compromised

At approximately 20:17 CET on Monday, January 15th 2024, a technical contributor to Phantasma alerted the team to a subtle, but suspicious change in the token supply.

An investigation was immediately launched, the wallet performing the illicit activity was identified, and the Phantasma chain nodes were halted to ensure the security of all token holder funds. The technical contributor has received tokens of gratitude from the contributors as a bounty for their quick action. This person will have the freedom to choose whether to remain anonymous or not.

Drawing on both internal and external developer expertise, the exact lines of code allowing this illicit activity were quickly identified. Specifically, it was designed to only be executed by a single, unique address based on specific criteria, and only allowed minting a maximum of 50k tokens in a transaction. The first such transaction had been performed on December 28th 2023. A total of 16 transactions had been performed, of which two failed to be processed, resulting in the minting of 700k tokens.

Importantly, zero tokens have moved from the address, and the funds have been neutralized. Not a single token from this address will ever be able move to a different address and will thus never enter the circulating supply. They will not be tradable on any exchange, whether centralized or decentralized.

For transparency, the address in question is the following, where you can see the 700k tokens sitting static in the wallet:

The lines of code enabling this action were masked as parts of commits made to expand programming language support on Phantasma. In the last 48 hours, all such code has been removed from all Phantasma repositories, and all code changes have been reviewed by a minimum of four separate expert developers.

In addition to removing the malicious lines of code, intensive testing is being performed. Phantasma developers are working closely together with both on-chain dApp partner developers like GOATi and GhostMarket as well as external resources to go through every single code commit over the last year with a fine-tooth comb to ensure the integrity of the codebase.

Out of an abundance of caution, we will invest another 24-48 hours into this initial, thorough review before bringing the chain out of read-only mode to resume normal token transactions. In addition, contracts owned by our live, on-chain dApp partners will be whitelisted to ensure they’re fully operational.

Once this has been completed the chain will be brought to a “live-lite” state, which will enable our community to perform normal transactions between wallets and exchanges. Users will be able to mint NFT’s, as well as stake and claim tokens. 

During this time, the only limited functionality will be that no new contracts will be able to be launched on chain. Users will be notified of any other temporarily limited functions once we transition into the “live-lite” state. 

The next stage, which is expected to take up to two weeks, will see our developers conduct further in-depth security reviews and consult with relevant experts before enabling additional functionality such as contract deployments.

We look forward to sharing an even more detailed post mortem report with our community once the full review has concluded. Once again, we will emphasize that absolutely no illicit funds have entered or can possibly enter the circulating supply, and no such funds reached or will ever reach any exchange.

On a separate but related note, these recent events have massively strengthened the contributors’ confidence in certain organizational and directional changes that are taking place as we speak, and we look forward to sharing our plans for the future of Phantasma with the community.

Your Phantasma Contributors