A Post-Incident Evaluation and Lessons Learned
On the evening of 05 July 2022, the DripDropz team was alerted to an announcement on Twitter and Medium that showed a scheduled drop for the Ardana DANA token that was to begin on 09 July 2022.
This was highly unusual. None of our team was aware of this drop, nor did we have the Ardana team in any of our communication channels. We didn’t have signed agreements, KYC, or any other validation that this drop was occurring. The announcement channels appeared authentic, so we performed an internal evaluation, and then contacted the Ardana team.
Internal Review
Each of the DripDropz team members went through their conversation logs and our typical onboarding routes, looking for any sign of this drop. Had we somehow missed a step in our process? Was there some way that one of our team had promised a drop only a few days away?
We came up blank.
The team had a few connections to the Ardana team. Andrew briefly spoke with Stake Pool Operators who were supporting the ISPO back in April. Rick had access to Ryan Matovu, the Ardana CEO via telegram. After verifying that the DripDropz team had no direct knowledge of the drop, we knew that the possibility existed that a scammer may have infiltrated the processes at Ardana.
The Ardana Response
Ryan worked diligently, and immediately with our team. He asked some hard questions of his team, trying to understand where the communication was occurring. He shared the fact that a recent hire of just a few weeks had been tasked with contacting the DripDropz team and setting up the launch parameters.
The technician had been relatively well vetted. He had performed some code creation and built tools to support the drop. He initially came from the well-known CryptoDevs Discord server. The code that he provided was excellent, and thoroughly audited for correct outputs.
The technician represented to Ryan that he had been in contact with the DripDropz team, and that everything was on track for the ISPO to begin. Unfortunately, this person was never in contact with DripDropz, and provided false details to Ryan.
The Outcome
It is assumed that the goal of the infiltration was a false address would be provided to the Ardana team to send the tokens for the ISPO rewards. This would have resulted in the theft of over $540,000 USD value in Ardana tokens. Thankfully no tokens were ever issued or compromised, and the security and integrity of the DANA token was protected during this incident.
Lessons Learned
Safety aspects involved in hiring new developers and other team members cannot be understated. It is important that team members are vetted to a much higher level when possible. The DripDropz team recommends the following best practices for maintaining cyber security surrounding token drops.
KYC all team members.
Perform “Proof of Humanity” via regular video communication.
Ensure MultiSig arrangements for treasury funds.
Limit the number of tokens that are sent at one time to third party services.
Have high level video communication between teams prior to public announcements.
Conclusion
We are grateful that no damage was caused, and that together, Ardana and the DripDropz team can evaluate their drop, and find the best way to safely deliver their ISPO tokens to their delegators. This will mean that we have to evaluate the full drop parameters and find a fair distribution model that the Ardana community can enjoy. Please stand by while our two teams find the best way forward.