Dear Astar Community,

We would like to inform you that Astar’s dApp Staking has been placed into maintenance mode as of 5:44 AM UTC today, following a security incident exclusively involving Neemo Finance.

The incident stems from a vulnerability within Neemo Finance’s own systems. As a result, the attacker was able to unlock funds staked by Neemo Finance through nsASTR liquid staking from dApp Staking. To prevent the attacker from accessing these unlocked funds and to protect the broader Astar ecosystem, including the ASTR token and its holders, the dApp Staking system was temporarily put into maintenance mode.

image1518×377 44.2 KB

We want to make it absolutely clear that this is an isolated issue within Neemo Finance, and that neither the Astar Network nor the dApp Staking system has been compromised in any way. The Astar infrastructure remains fully secure and operational. Maintenance mode was activated purely as a preventive measure to contain potential impact caused by the breach on Neemo’s side.

The maintenance mode will be lifted and dApp Staking operations will fully resume once the unlocked funds are secured, ensuring that no further exploitation can occur and no additional risks are posed to ASTR and nsASTR holders.

As dApp Staking is currently in the voting period, please note that once maintenance is disabled, the system will transition directly into the Build & Earn period.

We are actively coordinating with Neemo Finance and other relevant parties to support resolution of this issue. Governance processes may be required to fully resolve the situation, so we encourage the community to stay tuned to our official announcements over the coming hours and days.

For incident-specific details, please refer to Neemo Finance’s official social channels, as they are handling the breach and communicating next steps on their side.

• https://x.com/neemofinance
• Neemo Finance

Thank you for your continued vigilance and support.

Astar Foundation

Temporary Custody of Unlocked Neemo dApp Staking ASTR in Astar Treasury and Change of Neemo dApp Ownership to Astar On-Chain Treasury

Summary

Neemo Finance urgently requests that all ASTR currently being unlocked from Neemo’s dApp staking allocations be transferred to the Astar on-chain treasury, instead of any Neemo-controlled address. This includes both currently withdrawable and pending-unlock funds. Also we requests temporarily change the dApp ownership of Neemo Finance in the dApp Staking to the Astar core team, Main Council, or any other trusted and secure party.

This action is being formally requested to the Main Council, who will prepare and fast-track this proposal for execution with the support of the core dev team.

Compromised addresses:
dappStakingManager (nsASTR) : 0x85031E58C66BA47A16Eef7A69514cd33EC16559c
stakingManagerL1 (nrETH) : 0x54Cd23460DF45559Fd5feEaaDA7ba25f89c13525

Background

We sincerely apologize for the recent security incident. Multiple key addresses and our main operational wallet were compromised by an attacker. As a result, we are unable to pause/unpause our smart contracts or prevent malicious access.

The attacker is actively attempting to withdraw 26,783,546.036 ASTR (from the Chunk1) which is pending-unlock funds and unlock 177,500,000 ASTR (Chunk 2) and could gain access upon withdrawal enablement.

To prevent this, and to protect both Neemo users and Astar ecosystem integrity, we are urgently requesting that the ownership of Neemo’s dApp in the staking system be temporarily transferred to the Astar on-chain treasury, and that all unlocked funds be redirected to the treasury for secure custody.

Current Unlocking Status (as of July 6, 2025):

• Chunk 1: 26,783,546.036 ASTR — unlock completed (but withdrawals disabled)
• Chunk 2: 177,500,000 ASTR — unlock in progress (9 days remaining)
• Total under custody: 204,283,546.036 ASTR
• dApp Staking system is currently in maintenance mode, but preparation for post-maintenance fund transfer is ongoing.

Screenshot 2025-07-06 at 11.40.17979×618 29.9 KB

Proposal Details

• Action: Redirect the entire amount of Neemo’s dApp staking unlocked ASTR (both available and pending) to the Astar Treasury and change the dApp ownership of Neemo Finance in the dApp Staking to the Astar core team, Main Council, or any other trusted and secure party.
• Fund Destination: Astar on-chain treasury (not any Neemo-related wallet).
• Duration: Until Neemo submits a verified secure address.
• Applies to: The Chunk1 of unlocked assets (26,783,546.036M ASTR) and the Chunk2 of the unlocked fund (177,500,000 ASTR)
• Execution: To be performed immediately upon technical readiness of withdrawals.

Rationale

This approach provides the safest interim custody for a large unlocked amount of ASTR and the owner transfer during a period of address recovery and verification. By routing funds to the treasury, we ensure:

• No unauthorized access or fund loss
• Full transparency and auditability
• Time for Neemo to finalize and verify its new secure infrastructure

Next Steps

1. When technically possible,
   1. Change the dApp owner of Neemo Finance (0x85031E58C66BA47A16Eef7A69514cd33EC16559c)
   2. 26,783,546.036 ASTR from Chunk 1 are sent to the Astar on-chain treasury: YQnbw3oWxBnCUarnbePrjFcrSgVPP2jqTZYzWcccmN8fXhd from the Neemo compromised wallet (0x85031E58C66BA47A16Eef7A69514cd33EC16559c)
2. Chunk 2 will require a 2nd referendum later this week
3. Neemo completes address verification with the core team
4. A second governance post enables final transfer from treasury to Neemo

Will nsAstar be liquidated on the Sake lending platform ?
What will be the exchange rate for nsAstar to Astar?
Thank you for replying

Thank you for your report!
Thank you for your immediate response.
I think it will be difficult to respond to the DeFi operations, but I am relieved that the main ASTR can be preserved.

We look forward to receiving a detailed report in the future.

Thank you for your prompt response and detailed report!

Thank you for your report!

Please tell me how the administrator key was saved.
How were security measures taken?

How do you think you could have prevented this incident?

I knew an issue like this would eventually arise and would need to be managed by the Astar team..

This 100% could of been prevented.

I beg one more time for a native liquid staking token..

Hope everyone gets made whole and the attacker is discovered.

Thank you for your effots!!
I hope that you’ll tell us why admin keys were leaked and future actions for preventing similar issues.

As of now, once governance is finalized, we plan to be able to redeem at the pre-hack exchange rate.

Apologize for the cause. We will surely send a detailed report including defi market and nrETH soon.

Thanks and apologize for the incident

Will this include nrETH holders? What about nrETH?

Following the recent incident involving Neemo Finance and the temporary activation of maintenance mode on dApp Staking, the Main Council has submitted an urgent proposal, now live as a public referendum.

Referendum Link:
Vote here on Subsquare

Proposal Summary:

• Disable maintenance mode to restore full functionality of dApp Staking
• Withdraw ~26.78M ASTR (Chunk 1) previously unlocked from Neemo’s dApp staking
• Transfer those funds to the Astar on-chain treasury for safe custody
• Change ownership of the Neemo dApp in the dApp Staking system to the on-chain treasury

This action was formally requested by Neemo Finance in order to prevent unauthorized access to unlocked funds and protect the wider Astar ecosystem. The Astar protocol and dApp Staking system remain secure and uncompromised.

Governance Timeline

• Voting Period: 2 days
• Enactment: Immediate upon approval
• If passed, execution is scheduled for Tuesday, July 8, 2025, and maintenance mode will be disabled shortly afterward.

What About Chunk 2?

This proposal only covers Chunk 1 (~26.78M ASTR) — the portion that is already unlocked and at risk of withdrawal.
A separate referendum will be introduced later this week to deal with Chunk 2 (~177.5M ASTR), which is still in the process of unlocking.

Your Vote Matters

We encourage all ASTR holders to review the proposal and vote as soon as possible.

Vote here on Subsquare

Your support will:

• Secure unlocked funds
• Prevent further risk to the Astar ecosystem
• Resume dApp Staking for all participants

Thank you for your attention and participation in Astar governance.

Astar Foundation

At this time, we still don’t know how the key was compromised, we’re actively investigating the cause.

Thank you for your patience while we work to determine what happened.

@Gaius_sama, thanks for the quick action. I really appreciate it

Something worth noting:
This could of potentially been an inside job from neemo.

No, what we want to know is not how the attackers method the system, but how the keys were stored.
You don’t need a security company to answer that question.
What we want to know is how Neemo managed the keys.

We were deploying from an EOA address on a dedicated laptop that was used exclusively for Neemo. It wasn’t connected to any other protocols or unnecessary sites or extensions.

While this doesn’t excuse what happened at all, we prioritized speed in development, and the plan was to migrate to a multisig setup after the end of the current period.

We sincerely apologize. We’re currently investigating how the private key was compromised and take necessary steps.

Thank you for acting quickly, Astar Team.
It’s a critical situation for the Neemo team to handle and rebuild community trust.
Looking forward to more updates.

Thank you very much for your honest reply.