October 8, 2023
 min read

Security Incident

Some terrible news...

Dear CureDAO community,  

We hope this message finds you well. We are reaching out with crucial information about a recent security incident and its repercussions on CureDAO.

Immediate Action Required:

If you’ve ever used LastPass to store a private key, you should stop reading right now and make a new wallet (ideally a hardware one).  

One might say, “I’m using 2-factor authentication and a super-secret password, I’m fine.”  You are not fine.  This mistake has cost hundreds of major builders in the space $35 million so far.

So, actually take the 2 minutes to physically write down your obnoxiously long recovery phrase and never store it electronically.

If you are a victim of these thefts or other credential compromises, PLEASE file an IC3 report ASAP: https://ic3.gov/Home/FileComplaint

Incident Report:

Regrettably, CureDAO has fallen victim to a security breach resulting in the loss of $3,645 from our treasury, all the money we've ever had. The unauthorized transaction was executed using a compromised MetaMask wallet private key stored in LastPass and was inadvertently approved by another signer during a Gnosis safe transaction.

Identified Missteps:

Several missteps led to this incident:

  • Utilizing LastPass for private key storage
  • Implementing a two-signer treasury transaction approval instead of a more secure three-signer system
  • Failing to enforce a mandate for verbal confirmation between signers before transaction approvals

Our Response:

In light of this incident, we have:

  • Removed the compromised MetaMask Wallet from the safe
  • Extended our sincerest apologies to our valued donors
  • Reported the incident to relevant law enforcement agencies
  • Engaged blockchain security experts in an attempt to recover the lost funds
  • Issued this transparent report to inform our community about the incident

Your patience and understanding during this challenging time are immensely appreciated.

Looking Ahead:

Despite having no employees and no funds, CureDAO remains committed to minimizing suffering through developing a decentralized, futuristic FDA aimed at reducing clinical research costs. However, progress has been hampered by limited active contribution and development involvement. We invite developers interested in contributing to explore the Decentralized FDA GitHub repo (https://github.com/curedao/decentralized-fda) and join our weekly Dev Alignment meetings (https://www.curedao.org/calendar). Your involvement can significantly impact the advancement of the project.

Involvement and Tips:

If you have any questions, suggestions, or information that might assist in rectifying the situation, please contact us at hello@curedao.org.

My cat's breath smells like catfood.

Latest articles

Browse all
You're invited to join our Discord server
Join our Discord server! If you haven't used Discord before: it's free, secure, and works on both your desktop and phone.