This article will outline a critical bug we discovered post-V2 launch. We apologize for the lack of communication up until this point regarding the issue, as we intended to not release any information until we fully understood the circumstances regarding the issue. We now understand that was the wrong decision and hope that this incident report covers the entire situation.
4/30/2021 at 12:00 UTC — V2 Launch: Dracula Protocol V2 launches, our new interface is deployed. Several non-critical bugs were reported regarding TVL, mobile responsiveness, and general usability. @mdzor, our frontend lead, begins hotfixes for the frontend.
12 Hours After Launch: UI fixes still being implemented. Receive a few messages from community members regarding incorrect rewards being displayed. We assume it is a frontend issue and continue to implement hotfixes.
24 Hours After Launch: Messages come in that the harvested rewards are much higher than they should be, specifically for the SUSHI pools. @aaron0v investigates the Etherscan transactions and confirms it is something wrong on the contract level. The Dracula Team decides to disable withdraws and reward harvesting from the frontend while the issue is investigated.
48 Hours After Launch: The bug has been confirmed to be critical. Essentially, the rewards for each individual address are not accumulating properly. If a user harvests their rewards, all other depositors in that pool no longer have rewards to harvest, which causes concern that a malicious user could steal other user’s yields.
72 Hours After Launch: The Dracula Team has been able to reproduce the error on testnet. Although we know what the issue is, the complexity of our contracts has made it difficult to identify which contract the bug is in. All developers, @mdzor, @aaron0v, and @0xMars are investigating the source at this point.
Current Status: The Dracula Team has identified the source of the issue, which spawned from some code that was added during initial tests to debug a different issue and was missed during the final code review. The piece of bugged code essentially caused the draining of a pool that hadn’t been drained for the first time (or had 0 rewards) to take the entire reward for all other pools. This is why we saw some users in some pools getting much larger rewards than expected.
We believe that removing this small portion of the code will completely fix the issue. Unfortunately, the core contracts must be re-deployed in order to reflect the changes. This means that all users will need to unstake from the current V2 contracts and move their liquidity to the fixed V2 contracts, which we will refer to as V2.1. We will provide more information on this as we get closer to deploying the new contracts.
Current deposits are not at risk, as we have confirmed that our Emergency Withdraw function works for all pools. Users are free to withdraw their liquidity using this function, which will be added to the UI shortly.
Due to the error and gas costs, we have decided that we will airdrop a certain amount of DRC to each wallet that has interacted with our V2 platform. This DRC will come from our dev wallet and will not be minted. We hope that this airdrop will help some of the afflicted users make up for losses. Please reach out to team members if you have specific concerns regarding your deposit. We will follow-up with details regarding eligibility and the amount of DRC in a later post.
Once we have fixed the bug in the core contracts and redeployed, there will be a migration phase for users in the current V1 or V2 platform. Once this migration phase is over, we plan on adding Alchemix and Mirror protocol as our next victims and will resume marketing as planned. Dracula Protocol will continue to work towards its mission to be an essential part of the core DeFi ecosystem by adding new victims, transitioning to an official DAO, cross-chain yields, and more.