Project 0 Saved a User's $3M Portfolio from a Live Wallet Hack

Last week’s Drift hack reminded us of a similar incident our team dealt with recently that happened on a more personal level where a DeFi user urgently reached out to Project 0 (P0) about their balance. Their wallet had been hacked by clicking on a phishing link when trying to visit Raydium, and their funds had been drained instantly.

Actually, almost all their funds. $3M in token value the user had deposited into Project 0 was still there. P0 uses an evolved account architecture, and it had thwarted the drainer function the attacker implemented.

Often, when users reach out under these circumstances, the default stance – especially among off-chain products – is that there’s nothing the team can do. P0 didn’t follow this code and responded immediately to the user’s message.

The Problem

The P0 team was on an offsite and was traveling, but they stopped what they were doing, quickly huddled, and got to work. They built an account transfer tool that enabled an individual with the seed phrase to their wallet to transfer their funds to a different account.

The P0 team quickly tested this with their own money while sitting in an airport together. Building time-sensitive, on-chain products like this is a difficult task, but the P0 team is world class. They tested the product with funds out of pocket. It worked. Then, they prepared a UI for the user to take advantage of the functionality.

The only catch is executing a transfer requires signing a transaction and paying a small gas fee. In most cases, the wallet transfer P0 built can operate seamlessly when a hacker has taken a user’s private keys and drained their funds. But this case was different. The wallet itself was no longer owned by the System Program and instead was owned by the attacker’s custom program, which prevented the user from signing.

Our Solution

In roughly two hours, we updated the account transfer instruction to support a separate keypair as the feepayer. This enabled us to spin up and fund a third wallet to cover the transaction fee. The transfer was executed and the funds were moved to a new account with the users new uncompromised wallet as the authority.

Most DeFi protocols can’t do what we did here. There’s no team to call, no lever to pull, no one writing custom code in real time because your portfolio is on the line.

We built Project 0 with the mission of giving users the tools they need to manage their DeFi portfolios. But that belief in self-sovereignty doesn’t mean users are left out to dry when something goes wrong.

At Project 0 we’re building the platform that gives users complete control over their portfolio, with the support to match it. As last week’s Drift hack reminds us, that means fast, technical responses when users are in trouble, not just a good UI when things are going well.

If you’re managing meaningful capital on-chain, you should know who’s behind the product you’re using.Try Project 0 today at 0.xyz →