Move fast, break things, get hacked.
That’s what happened at Roll, the social currency platform that allows creators to mint and distribute their own Ethereum-based cryptocurrency known as social tokens. Last week, Roll disclosed a hacker had stolen $5.7 million from its hot wallet, a little over a year after the company launched.
Roll set up a $500,000 fund to help creators recoup their losses, and the company promised to hire a third-party to audit its security infrastructure.
But the company has so far been unable to contract with security investigators to probe the breach, leaving the startup to look for clues itself. A week has passed since the breach, and the social currency startup says it still doesn’t know how the hacker broke in or stole its private keys.
In a call with TechCrunch this week, Roll executives confirmed its infrastructure never underwent a security audit, a process designed to help find and fix vulnerabilities, prior to its launch.
“We weren’t ready from a security standpoint,” said Roll CEO Bradley Miles.
“This incident was a big setback for us, we will revamp a lot of infrastructure around this that we have in place to prevent something like this from happening again,” said Roll’s chief technology officer Sid Kalla, who oversees cybersecurity because the company does not have dedicated staff.
The executives said while its smart contracts — the technology that underpins the blockchain — were audited by a third-party firm, the rest of the company’s infrastructure was never stress-tested.
“That was a shortcoming on our end, and we should have done this earlier,” said Kalla.
The emptying of Roll’s hot wallet comes as social currency climbs to new levels of popularity. Roll has netted high-profile creators like actor Terry Crews, along with hundreds of other social currency on the platform, many plummeting in value after the hot wallet was hacked.
Some of the larger social currencies, like $WHALE, bounced back fairly quickly after the breach of Roll’s hot wallet. A month earlier, $WHALE “serendipitously withdrew” a large amount of its supply to its cold wallets, which aren’t connected to the internet, in anticipation of community distributions. The social currencies that had measures in place proved some resiliency against the hack.
After the company realized its hot wallet was emptied, the company spent the first two days following the money trail. Miles said the company engaged with forensic blockchain company Chainalysis for help. The company said it was looking at his logs, but says they have not seen any anomalous logins. Roll uses Amazon’s cloud for its infrastructure, and only a handful of employees have access to the private keys, and their accounts are secured with app-based authentication codes, said Kalla.
“We’re a young company, we’re growing extraordinarily quickly,” said Miles, who admitted that the company’s response “could have been better.”
“There’s no scenario in which you can lose that kind of money and not bring in incident response,” said Jake Williams, founder of cybersecurity firm Rendition Infosec. “The idea that you would try to do a DIY incident response, especially if it’s not your core capability, is just ridiculous.”
“To rebuild trust, the company has to come clean on where the failures were at,” said Williams, a former NSA hacker turned incident responder.
Roll is rebuilding its infrastructure, but did not give a timeline for when the work would be completed. The company said it won’t allow users to make withdrawals until it’s confident that its infrastructure is secure. The company says it will engage a security company to audit the changes to its infrastructure. Roll also said it will reduce how many tokens it holds in its hot wallet.
Miles said the company’s relief fund for creators was raised to $750,000, which he said will go directly to affected communities. The company also plans to hire a dedicated chief information security officer when its next financing round closes.