Around 3:30am EST today, there was a security incident with Roll’s hot wallet. As a result, the attacker was able to steal all the tokens from this wallet and sell on Uniswap for ETH. As of this writing, it seems like a compromise of the private keys of our hot wallet and not a bug in the Roll smart contracts or any token contracts. We are investigating this with our infrastructure provider and law enforcement.
Attacker contract: https://etherscan.io/address/0xeaa86ddd49d8907c939413e92888536e4587bd9a
Attacker contract creator: https://etherscan.io/address/0x5fe4e7124d1da9046edc67a6499b565241be0167
Thank you to everyone that reached out to find ways to support. The attacker has already sold all the tokens. There is no further user action suggested at this stage. We are temporarily disabling withdraw from the Roll wallet of all social money until we have migrated our hot wallet.
It is hard to put into words how devastating this is and we are really sorry about what happened. We take security very seriously and strive to earn the trust of our creators and communities with their social money but today we messed up.
We will do a third-party audit of our security infrastructure over the coming days to ensure this never happens again. We will also run a forensic analysis to figure out how the key was compromised.
In the meantime, we are announcing a $500,000 fund to help the creators and their communities affected by this. We will reach out to every community one by one in coming days and will give more details soon.