Thanks for your feedback, the private key leak is something everyone is concerned about and hopes Neemo can find out the cause. This cause can be a lesson for other projects about security.
Thank you for sharing all the information about the Neemo Finance incident so clearly and thoroughly.
I really appreciate the transparency and the quick action taken by the team to protect the entire Astar ecosystem.
Looking forward to further updates 
Mindblowing that the entire Astar network was essentially brought to a hault due to amateur security measures (not an insult, just facts).
I’m a Neemo supporter and will continue to be.
If the project is to survive, everyone needs to be paid back. This is the only way to restore trust and brand reputation, which an LST project needs to survive. Unfortunately Astar Network brand is at risk here so they will need to ensure everyone is made whole (screenshot below)
Relations with Sony need to be carefully managed here as it could negatively impact Sony integrating Astar into their ecosystem instead of them launching their own coin.
I would strongly recommend each user is 100% compensated. 100ETH is a small price to pay - could have been a lot worse. Ecosystem wide procedure update and security measures are now required for projects with huge TVL.
As i’ve stated before, Astar Network has to take responsibility for dApp projects and can’t wash their hands of the situation (Neurolanche was a scam project destined to always implode that Astar didn’t deal with, yes i’m mentioning it again - we’ve taken yet another brand hit with the community suffering financial losses) - especially when dealing with professional companies such as Sony.
The lesson is that Astar Core team have a duty to ensure that dApp projects are operating to a professional standard, especially when entrusted with such a high TVL.
Edit: maybe we should implement @ERC20s idea of Astar network creating their own LST native functionality directly into the Astar Portal. LST functionality is so important for an ecosystem and we can’t afford for this to happen again.
3 Likes
I would like to make a small statement about these remarks added above. As you know is that Astar Foundation is only part of the Astar Collective to ensure the security, managing the asset and the features that are build on top of Astar Network as native intregation. With entities as the Community Council, Finance Committee, etc… paid by the onchain treasury, are here to ensure Astar Foundation has not full control over certain areas but the Collective carries these responsibilities.
As you can see here:
The UCG grant mangaged by the community council was created in a way to give projects who need support, guidance and a position on dApp Staking. While the ‘Astar Core’ team ensures security on its L1 to ensure the network operates at highest standards. W
ith this recent incident the ‘Astar Core’ team ensured there was no security issue on the network and funds were locked before they were in control of the hacker. I think ‘Astar Core’ team took it’s responsibility in this incident.
Project on dApp Staking are Astar Collective responsibilities, this also includes you as user, to use a project that you trust. I don’t see why you blame Astar Foundation to be washing their hands. Neurolancher was fixed by the entitity that got the responsibility and mandate to do.
It’s easy to blame Astar Foundation about this but it’s Astar Foundation that is dealing with Sony, we ensure everything keeps profesionally handled between us and them. Actions that we are doing from Astar Foundation ensures this relationship. So blaming us for not doing things or washing our hands clean are not happening. We do things you don’t see, so please only blame us when you have the full understanding.
Just to end, this whole incident had nothing to do with Astar Foundation but a security breach on Neemo Finance. All responsibility related to this hack, needs to be addressed by them. Astar Foundation doesn’t need to justify why that project used an EOA for their contract deployment, while multisigs and other toolings were provided from day 1 in the Soneium ecosystem. Astar Foundation don’t need to do audit on a project on Soneium. We promoted based on the usage and utility it gave on Soneium to the ASTR token.
6 Likes
@FFR23 @Maarten
We sincerely apologize for the situation that has unfolded.
The Astar Foundation has been incredibly supportive, and we are deeply grateful for their help throughout this incident. To be clear, this issue was entirely due to a failure on Neemo, the Astar Foundation bears no responsibility whatsoever for what occurred.
Regarding compensation for nrETH and assets involved in DeFi protocols, we are currently in discussions with relevant stakeholders to determine the best course of action.
We kindly ask for a bit more time as we work through the details. Again apologize for the incident. Thank you for your patience and understanding.
2 Likes
The screenshot i provided earlier is from the community - not me. This is the perception in many different communities now and the communities are blaming Astr foundation directly.
I am basically just making that clear so there is no room for ignorance - PERCEPTION IS REALITY despite the good work that is happening behind the scenes.
From an overall standpoint - the former #1 dapp on Astar (Neurolanche) failed - this dApp was replaced by Neemo as #1 and now that has suffered a serious breach that has severely impacted Astar Network operations (dApp staking is frozen, we had a VERY close near miss where millions of Astar was at risk).
By allowing dApps to get this size with no controls in place, you are creating RISK which eventually WILL result in impact. Risk has to be controlled , this is basic professionalism.
Weather you are comfertable with it or not, or believe differently, the Astar brand is at risk with each actions under underlying dApps / projects - which means you have an obligation to ensure projects operate to a certain professional standard
For example In traditional finance - banks have AML laws for this exact reason. They cannot blame the customer if they were using their services for illicit activities - the bank has to take responsibility by law if someone using their services acts in a certain way.
You have an excellent project.
It was a web 2 security breach which caused this. The protocol security is high and robust.
Trust and confidence is equally as important if you want to he successful.
The path forward to success is to make sure no community member suffers any financial loss.
I know you are working hard to fix the issue. Every single entrepreneur and professional has made a mistake in their career - it is normal especially for Defi projects
How you respond to this incident will determine the success of your project - similar to how Astar Foundation respond by implementing controls for projects to follow.
2 Likes
Based on what you are saying is making dApp Staking a fully centralized service with KYB clearance. If thats the goal, the whole purpose of governance is lost and dApp Staking should be seen as a general business. BUT dApp Staking is behind governance in a decentralized network making your next statement of:
False! This is not the obligation of Astar Foundation as mentioned in my previous reply. My obligation is ensuring a secure scalable network for projects to thrive. It’s not to KYB projects and making it a centralized network. Projects on dApp Staking are under the responsibility of the Community Council and everyone in the Astar Collective, not solely on Astar Foundation, its a shared responsibility.
3 Likes
Your statement is here that every recent hack in web3 is the responsibility of the protocol foundation that didn’t do their DD? Please explain why the hack of Neemo is different than other hacks that made Astar Foundation responsible for the lose of millions of ASTR.
Where Astar Foundation doesn’t control Soneium or its projects but does secure the L1 network. To end, no lose has encountered on the L1, the Astar Foundation fully secured the amount to not be in control of the hacker.
1 Like
Understood.
If the responsibility has been delegated and you are happy with this.
If you are happy that millions of Astar could be put at risk again in the future and this risk will always exist without controls.
If you are happy that despite being completely innocent - the blame will always fall at the feet of the Astar foundation from angry community members who don’t know any better.
Then everything is normal and working as intended and there is nothing left to discuss from my end.
1 Like
You are working with start up projects in a professional environment.
It’s not that hard to establish basic guidelines / guard rails that projects have to adhere to.
It saves a lot of pain
Astar Foundation doesn’t control the risk of ASTR in projects. We expect the project the have the highest standard in their security to gain trust of the users and their community. Astar Foundation will ensure the security of the ASTR token in it’s network aka decentralized blockchain.
Isn’t that the dApp Staking charter posted by the Community Council.
I do understand you have to blame someone, so I’m fine that you blame us.
1 Like
This right here.
Make it a rule that needs to be verified and followed.
Not difficult and saves your brand even though it’s not your fault for whatever issue
At least you can turn around and say you checked for negligence or bad practise it something does go wrong.
Lets LEARN FROM MISTAKES and implement Corrective Actions and Procedures for each one.
This is basic
2 Likes
So how will the Community Council be held accountable?
Despite asking the question multiple times, it remains unclear how the Community Council works to ensure the health of DApps.
And then the incident really happened.
I don’t believe the Core team is responsible. We should be grateful.
It is thanks to the efforts of the core team that Neemo tokens still have the potential for a 1:1 token swap with astr.
However, if “Astar Collective” refers to the entire community, then the Astar Collective is not responsible either.
Even users who chose not to use Neemo have suffered damage to the Astar ecosystem due to the Neemo hack and now face the risk of decrease in token value.
There were Neemo users who came from Soneium but did not participate in the Astar forum or dApp staking. They can’t be called the Astar Collective.
I totally agree with the user @FFR23 and let me say that I didn’t like the answer given by Marteen at all, it almost seems like he wants to wash his hands of it.
It is absolutely true that the direct responsible for what happened is the Neemo Team but in my opinion INDIRECTLY the responsibility also falls on Astar/Startale.
Astar has advertised and pushed several times (for their own interest) the use of the nsASTR derivative (which until 2 days ago we remember was the most important and most used derivative within the defi on Astar / Soneium and on glorious past campaigns such as ACS.
I therefore find it very convenient now to place the blame / responsibility only on the end users.
At these levels I am convinced that Astar must monitor / ask for a series of tests of certain security standards (audit, multisig etc) to the various dapps especially if one of these is responsible for the most important and used derivative within the ecosystem!
I sincerely hope that the Neemo Team and, in the event the latter is unable to with its own finances, Astar takes charge of the problem without making users lose money.
Personally I am very touched by the problem, having invested large sums in nsASTR but for intellectual honesty I would say the exact same things if I had not invested a euro.
1 Like
Martin isn’t trying to avoid responsibility, he’s arguing that there really is no responsibility, and I agree with him.
The responsibility for ensuring the health of Dapps lies with the Community Council.
I don’t know if that operation is right, but at least that’s how it is under the current rules.
In any case, unfortunately, the damage to ASTAR’s image has happened.
It is obvious and there for all to see.
It is just a matter of understanding whether or not they want to downsize.
Astar are taking direct hits to reputation but it’s not their responsibility to fix the root cause even though they have full power and oversight to fix quickly and permanently.
Astar collective has no governance or structure or direction.
Its mis management hell to be honest with no clear guidelines for anyone to follow.
A situation like this was inevitable and will happen again if nothing changes
2 Likes
I agree.
Ensuring the fundamental soundness of dapps and establishing the mechanisms for doing so are not something that should be decided by governance rules.
This is a required feature by Astar, so it should not be decided by governance or anything like that.
It must be established so that it works.
Can you explain the root cause of this hack that Astar Foundation has full power over to fix quickly and permanently so no hack can occur with a project that does anything with ASTR token? I would like to learn more.
- Governance can be found here: https://astar.subsquare.io/
- You can find the entities that are part of the collective in form of council:
- Main council (Astar Foundation): upgrades the chain, does development work and ensures security around the token on L1, does urgent fixes and ensures chains runs scalable and 24/7
- Community Council: responsible for the community treasury, paying our agents, UCG, dApp Staking (listing and delisting)
- You can find the entities that are part of the collective in form of council:
- Other bodies:
- AFC: responsible to asset management to burn ASTR or to buyback ASTR from the market with earned yield.
Related to dApp Staking please read the code of conduct: dApp Staking Code of Conduct | Welcome to Astar developed by the community council.
Can you teach me what guideline is missing for anyone to follow?
Soon there is a new selection of members in the Community Council and I hope you can apply so you can support dApp Staking and take a more influencing role to change things.
1 Like