First community letter of QIAN community

Dear QIAN community,

QIAN Stablecoin protocol was officially launched on October 23, 2020, and the total circulating supply of QUSD has exceeded 30 million during these days, which is the mutual achievement of all members in the QIAN community, the launch of QIAN has not only attracted the attention of the global cryptocurrency community, but also the ChianNews, Huoxing Finance, and other media; meanwhile, our official Discord community is also growing in numbers and has now surpassed 200 members, the member of Telegram group chat has surpassed almost 5.1K. Here, David Lei, the founder of the QIAN community, gives a summary report on the first week of QIAN to the community members on a few topics.

I. QIAN Development Team Summary

David Lei, Jeffery Chu, Collin Wang, core members of QIAN community, reviewed the overall performance of the project and the community at key milestones such as the QUSD launch and the Balancer liquidity pool launch. After review, we found that except for some big community users that are actively maintaining the Balancer liquidity pool (solely add QUSD liquidity, or withdraw KUN), most QUSD holders do not effectively add QUSD to the Balancer liquidity pool to farm high yield KUN incentive rewards. This will also cause the centralized control of KUN token and influence following community governance.

Based on the above summary, the core members of QIAN community recommend the following improvement approaches.

1.1 After the first week of the Balancer liquidity pool incentive, give liquidity mining a wrap-up period of approximately 72 to 96 hours to adequately prepare technical and market works for the second phase of Ethereum network liquidity mining.

1.2 Starting from the second round of Balancer liquidity mining, enhance the support of QUSD to the KUN price; at the same time increase the liquidity pool & liquidity incentive, so that more users will transfer QUSD into the Balancer. Together to bring the price of the KUN into a positive loop.

1.3 Collaborate with Ethereum network s.finance project, activate the liquidity pool of QUSD and other stablecoins during the second mining incentive period and enable QUSD holders to double mine the KUN and SFG.

1.4 Bringing online BSC's Equator, bStable liquidity pool, and BSC liquidity mining in Phase 2 mining.

1.5 After each week of liquidity mining, the core members will review the outcome of each round and initiate community discussion and voting on how to continuously improve the design and performance of liquidity mining and KUN token price.

Through the above planning, we can make KUN and QUSD be traded in a larger market, thus enhancing the loyalty of QUSD token holders, and also make sufficient preparation for KUN to start governance mining and governance voting.

II. QIAN Community Governance

At the beginning of QIAN's community operation, David established the Discord community. This week, Discord community members had a full and in-depth idea exchange on project development, economic models, operation and product usage, which initially showed the potential on strong community governance for QIAN.

At the same time, David initiated the establishment of a Discord channel for QIAN community guardians, who are active members and the backbone of the community, keeping the healthy and orderly discussion in the community. In return for their active participation in community building, the guardians will receive invitations to future QIAN community offline events, as well as reimbursement of transportation and accommodation expenses. For those guardians who do not meet the requirements of community building, there will be a mechanism for renewing of guardian team, all community members are welcome to actively participate in the development of QIAN and become honorary guardians.

III. an attack and defense on KUN.

While the QIAN draws attention from the blockchain world, hackers and attackers around the world also started to notice QIAN and KUN, around 2:30 am GMT on October 26, 2020, the development team found that the KUN token supply on Ethereum was disturbed. Immediately, the development team took the following actions to deal with the problem.

3.1.1 It is suspected that some unknown default in QIAN/KUN's codebase is noticed after it is open-sourced, the team immediately switched code base to privately owned.

3.1.2 It is suspect that the smart contract deployment server has been invaded, community tech leader Seamon used his personal private key to log in to the server, block the team's shared private key and help the dev team to investigate the intrusion traces.

3.1.3 It is suspect QIAN/KUN development-related personal computer was invaded, the whole team checked for traces of intrusion on their own devices.

3.1.4 Changed the KUN management private key immediately, abandon the old private key.

3.1.5 Freezing of KUN tokens minted by the invader.

3.1.6 Discard all privileges for which the old private key has been compromised.

3.1.7 Upgrade QUSD contracts, add permissions to freeze QUSD holding by intruders.

3.1.8 Troubleshooting on other potentially affected management private keys.

Hacking had the following effects.

3.2.1 Attacker cast 1,289,758.7181 KUN tokens, 1,288,526.7181 KUN tokens have been frozen following the upgrade of the KUN token smart contract, the additional KUN tokens issued will have no impact on the market.

3.2.2 The attacker added 1,232 KUN tokens of single token liquidity to Balancer in exchange for 10,264.2624 QUSD, of which 3,123 QUSD were deposited into ForTube platform and the remaining QUSD in two accounts that are controlled by the attacker.

After investigation, the deployment server leaves on traces of intrusion, personal computers of the dev team have no traces of intrusion, the issue was finally located in the leakage of sensitive data in open-sourced code base, detailed information as follows:

3.3.1 All historical records of codebase https://github.com/QIAN-Protocol/QIAN had been retained during the audit process at the request of the code auditor.

3.3.2 In order to perform the Rinkeby script test, the private key to this leak was written in a file of the library as a test account on June 17,.

3.3.3 On July 12, all private keys have been removed from the codebase to mitigate security risk. However, the private key is still technically available to be found in the Github repo history.

3.3.4 The KUN token contract was deployed using the private key that had been used as a test on June 17.

3.3.5 At 18:00 GMT on October 25, https://github.com/QIAN-Protocol/QIAN was open-sourced directly by David himself without deleting the repo history.

3.3.6 The attacker searched and found the private key from the open-source code base library history record, gained access to the KUN administration, and sent the first transaction around 13:00 GMT on October 26th: https://etherscan.io/tx/0x2281609b0b3075e3d2fed5e10a52b61f8d9815a24569c0ce9bd950c46b5ebfde

After reviewing the above attack process, we can see that this hacker attack was successful mainly due to the negligence of the team members. Fortunately, the attack was discovered in time, and the amount of KUN tokens sold by the hacker was limited also the QUSD holding by the attacker was forever frozen, which did not cause too much loss to the community, the KUN price drop caused by the selling of hacker has been corrected by the balancer liquidity providers, the majority of QUSD and KUN token holders suffered no actual losses.

The devil is in the details, in order to avoid similar hacker attacks in the future, the QIAN stablecoin development team will strictly implement the following rules in terms of code security management.

3.4.1 Strictly implements the security principle of "one private key at a time", when deploying contracts under the production environment, use a new management private key to each project, and strictly prohibit the reuse of the old private key.

3.4.2 Strictly enforce the security principle of "brand new open source", delete all history and resubmit code before the code repo is open to the public.

3.4.3 Continue to adhere to the security principle of never entering sensitive data into the library, all sensitive data are locally called and are not submitted to the library.

3.4.4 Resolve other issues identified with this round of troubleshooting, such as removing all code containing sensitive data after the server deploys the contract.

3.4.5 Regularly replace the management private key. For projects with large assets in locking, consider "one key at a time", that is, replace the old private key with a new one and discard the old one after each project management operation is completed.

3.4.6 Develop management private key monitoring system to alert at the first time when there are abnormal transactions of management private key.

Based on the above security principles, to protect the project code and the safe operation of the private key, the development team re-open sourced all the code of QIAN and KUN after deleting all the history, the link to the open-source code repository is https://github.com/QIAN-Protocol, while the development team also invited the Peckshield team to assist us in code security design when we make code adjustments in the future.

The above is a summary of the work done by David and a few core members of the QIAN community since the official launch of QIAN one week ago. We look forward to working with our community members, build QIAN KUN as the next important DeFi infrastructure together.

David Lei
QIAN Community Initiator