CEO’s Letter to the Community

Dear Minterest Community,

Over the past few weeks, we have faced significant challenges together, and I want to take a moment to address this directly.

Firstly, I acknowledge the distress and concern caused by the recent security breach on our build of Minterest on Mantle Network. I deeply regret the impact this has had on our community. Your trust is paramount, and I realise this incident has cost us some of that. I personally empathise with how shaken the community has felt during this period and want to extend my heartfelt thanks to each of you for showing patience, giving constructive feedback, and providing direct assistance as we navigated this difficult situation.

Incident Summary

On July 14, 2024, Minterest experienced a security breach on its Mantle Network deployment, resulting in the loss of USD $1.4M in $mETH and $WETH tokens. The breach involved a sophisticated exploit of the USDY token market through a reentrancy attack, which manipulated exchange rates and led to the liquidation of user positions. Swift actions were taken to suspend operations and mitigate further damage. For a detailed account of the incident, please read our Post-Mortem Report.

Vulnerability Findings and Improvements

Though Minterest’s code had been reviewed and fully audited multiple times, the USDY token market addition specific to Mantle Network went live unaudited. To provide greater context, the token markets on Minterest are governed by the audited mToken contract, which directly oversees markets such as USDT, USDC, and mETH. However, certain token markets, like USDY, contain unique properties. For these markets, a new token contract is created, inheriting all traits from the parent mToken contract before adding new functionality. Unfortunately, our internal code review process failed to flag the flaw and requirement for a partial security audit.

This incident highlights a critical need to bolster our internal code review procedures to prevent such occurrences in the future. I am directly overseeing this progress to ensure we enhance our security practices. We will publish our updated approach to the community shortly and welcome additional suggestions from those with relevant domain expertise.

Concurrently, the Minterest protocol is undergoing a thorough code audit by a renowned partner on both the USDY market and the broader codebase deployed across all chains Minterest supports. Passing the USDY audit is an internal mandate before reopening Minterest, while the larger audit will cover existing and new features developed.

What is Next?

Minterest is to reopen shortly. We are launching an admin page for affected users to view their before and after portfolio positions, including a $MINTY token compensation section as part of the remediation plan. And, for greater transparency of the audited codebase, a new audited seal will be attached to each token market on the app.

The reopening of Minterest includes a three-week period of high $MINTY & $MNT emission rewards for suppliers and borrowers as follows:

  • Week 1: +100% emission rewards
  • Week 2: +75% emission rewards
  • Week 3: +50% emission rewards

In addition, impacted mETH & WETH suppliers will receive a further +40% boost in their emissions for three full months.

More details are to be provided by the team across our official channels soon.

Thank You

During our moment of crisis, there were some who jumped in to provide aid, and I do want to publicly thank those who went the extra mile, including VEER from Mantle Network, Seal 911, Blocksec, CommercantXBT, Mitko, Dan from Hypernative, BuyNoEvil, Tsrai11, Wolfsince87, Valentine, and James G.

To our community, we thank you for supporting Minterest. I hope that the new measures taken are encouraging and will reignite your interest to progress on this journey together. We have collectively endured through hardships before and will continue to stay resilient as we move Minterest into its next chapter.

Warm regards,

Kyn Chaturvedi
CEO, Minterest

31, July 2024