Liqwid Security Vulnerability Disclosure

On February 8th, 2023, the Liqwid protocol core team was notified of a critical security vulnerability by the Vacuumlabs audit team. The Liqwid core team quickly acted upon receiving the notification, freezing the protocol via a multisig transaction at approximately 15:20 UTC. The team limited details of the vulnerability until confirmation of the protocol pause transaction was secured. Following this a PR with the fix for this issue was reviewed and validated by the security auditors. The vulnerability could have allowed a malicious user to drain funds from the market.

At this time, there is no evidence that the vulnerability was used on mainnet, but the team is taking all necessary steps to ensure a safe and secure protocol. The fix for the vulnerability has been tested and deployed on the Preview testnet market. At this time we can confirm our fix works and we plan to implement this on the mainnet market tomorrow morning following additional testing.

Liqwid v1 Multisig

The Liqwid team initially launched with a multisig, rather than the intended long-term on-chain governance framework, Agora. The multisig, distributed among core Liqwid developers, management, and representatives from MLabs, Minswap, and the Liqwid Community Managers, allows scripts to bypass typical validation logic with four out of seven signatures. This was established to provide the core team with the ability to initialize new markets, oracles, and modify market parameters.

The multisig was also deployed as a stop-gap measure in case of emergencies, given that the Agora voting process can take 3-5 days to fully pass. In the future, it will be up to the community to decide whether to retire the multisig and rely exclusively on the DAO in emergencies, or to keep the multisig, potentially modifying the key holders. Both options are possible in the implementation of the Liqwid v1 multisig.

Forthcoming Post-Mortem and Future Steps

Once the vulnerability is fully addressed, Liqwid Labs and Vacuumlabs will conduct a thorough examination of the technical and organizational weaknesses that led to this situation. Strategies will be developed to prevent similar incidents in the future. The team will also use this opportunity to enhance its bug bounty program and improve incident response capabilities.

Liqwid Labs is currently working on analytics to fully confirm the vulnerability was not exploited in the wild. A reproducible analysis of both a PoC exploit on the testnet and an examination of the mainnet will be provided.

We appreciate the swift action taken by the Vacuumlabs team in reporting this vulnerability and the prompt response by the Liqwid core team. Our top priority is the security and stability of the Liqwid protocol and its users. Thank you for your understanding and support.