A Security Breach at Roll: A Social Currency Platform

The social currency platform Roll, enabling creators to launch their own Ethereum-based tokens, experienced a significant security incident. A hacker successfully stole $5.7 million from the company’s hot wallet, just over a year following Roll’s initial launch.

Creator Loss Recovery and Security Measures

In response to the breach, Roll established a $500,000 fund intended to help creators recover their financial losses. Furthermore, the company committed to engaging a third-party firm to conduct a comprehensive audit of its security infrastructure.

However, securing a security investigation firm has proven challenging. As of now, Roll is conducting its own internal investigation to determine the cause of the breach and how the hacker obtained access to its private keys.

Lack of Prior Security Audits

Roll executives revealed in a recent discussion that a full security audit of the company’s infrastructure was not performed before its launch. This audit is a crucial process for identifying and addressing potential vulnerabilities.

“We were unprepared from a security perspective,” stated Roll CEO Bradley Miles.

Sid Kalla, Roll’s chief technology officer, who also oversees cybersecurity due to the absence of dedicated security personnel, acknowledged the incident as a major setback. He affirmed the company’s commitment to overhauling its infrastructure to prevent future occurrences.

Smart Contracts Audited, Infrastructure Untested

While the smart contracts – the core technology powering the blockchain – were audited by an external firm, the remainder of Roll’s infrastructure had not undergone rigorous stress testing.

“This represents a deficiency on our part, and one we should have addressed sooner,” Kalla explained.

Social Currency Popularity and Impact of the Hack

The incident occurred amidst growing popularity for social currencies. Roll hosts numerous high-profile creators, including actor Terry Crews, many of whom experienced a decline in the value of their social tokens following the hot wallet compromise.

Some larger social currencies, such as $WHALE, demonstrated resilience, recovering relatively quickly. $WHALE had proactively moved a substantial portion of its supply to cold wallets – offline storage – a month prior, anticipating community distributions.

Investigation and Initial Findings

Following the discovery of the emptied hot wallet, Roll dedicated the initial two days to tracing the stolen funds. The company enlisted the assistance of Chainalysis, a forensic blockchain analysis firm.

Despite reviewing system logs, no unusual login activity has been detected. Roll utilizes Amazon’s cloud infrastructure, and access to the private keys is limited to a small number of employees, all secured with app-based authentication.

Acknowledging Shortcomings and Expert Opinions

Miles admitted the company’s response “could have been improved,” acknowledging its rapid growth as a contributing factor.

“Engaging incident response is essential when facing a loss of this magnitude,” stated Jake Williams, founder of Rendition Infosec. “Attempting a self-directed incident response, particularly without core expertise, is simply unreasonable.”

Williams, a former NSA hacker now specializing in incident response, emphasized the need for transparency. “To restore trust, the company must openly disclose the nature of its failures.”

Future Security Enhancements

Roll is currently rebuilding its infrastructure, but has not provided a specific timeline for completion. Withdrawals for users will remain suspended until the company is confident in the security of its systems.

A security firm will be engaged to audit the implemented changes, and Roll intends to reduce the amount of tokens held in its hot wallet.

The creator relief fund has been increased to $750,000, and Miles stated these funds will be distributed directly to affected communities. The company also plans to appoint a dedicated chief information security officer upon securing its next round of funding.