Decentraland Security Update
Recent LAND vulnerability report and what the Decentraland Foundation is doing to protect Decentraland's IP
The Decentraland Foundation is committed to upholding the security of Decentraland as well as to being transparent about what we do to achieve that goal. Recently, there’ve been two matters related to this topic that we wanted to update you on. One is a vulnerability to LAND contracts that was swiftly handled after being reported to us (all assets are safe), and the other is about our efforts to protect the Decentraland IP and by extension the Decentraland community.
LAND Vulnerability Situation
On March 12, a security researcher reported a critical vulnerability of the LAND smart contracts that allowed anyone to transfer LAND without a LAND owner’s permission. In response, the Decentraland Foundation urgently contacted the members of the DAO’s Security Advisory Board to amend the smart contracts, and the vulnerability was fixed within two hours of it being confirmed. Since then, the Foundation has conducted two additional audits of the LAND smart contracts to ensure that the situation was truly resolved before sharing this information with you, the Decentraland community.
Timeline of Events
15:40 - Early informal notification received—security researcher was asked to notify email@example.com
16:20 - Security report received at firstname.lastname@example.org and handled by the on-call person at the Decentraland Foundation.
16:33 - SAB Team notified and asked to report immediately.
16:40 - Two SAB Team members verify the report and confirm the vulnerability.
16:50 - A SAB Team member starts building a new TheGraph subgraph implementation to detect and identify this condition on Ethereum Mainnet.
17:22 - A SAB Team member comes up with a fix.
17:28 - Four out of the SAB Team’s five members, plus one independent individual that was looped in, start verifying that the fix is sound.
17:30 - All of the SAB team is online and has reported, ready to do an emergency upgrade that needs 5/5 signers.
17:35 - Preliminary analysis of affected LAND stolen: 11 LAND plots taken by the security researcher. This LAND was returned to the Foundation by the security researcher.
17:55 - New implementation contract deployed.
18:00 - Bytecode contract verification made using private tooling, to avoid disclosing the fixed contract publicly.
18:10 - Second and third independent bytecode verifications were made with different private tools.
18:20 - Vote for the upgrade was submitted to the SAB Team. LAND Registry Post Mortem 2.
18:30 - Voting finishes with 5/5 positive votes. The upgrade of the smart contract is finalized and the vulnerability is confirmed as fixed: https://etherscan.io/tx/0xb9c189812a5b89257a8968f069985083b8e9d8879f7e72ab08b851dfb23eb49c
18:33 - Using the TheGraph subgraph and additional on-chain information, the SAB Team confirmed that the vulnerability was not exploited in the wild, and that only the 11 LANDplots reported by the security researcher were involved.
How the Decentraland Foundation is protecting the Decentraland IP
Along with its mission of protecting Decentraland’s IP for the benefit of the community, the Foundation has entrusted its legal team to carry out all actions necessary to try and protect the Decentraland trademark and logo from being used by impersonators. Our legal team is also doing everything they can to remove web pages, domains, and applications with malicious content that seek to mislead the general public about our platform available at decentraland.org. To aid the legal team in this mission, the Foundation has hired reputable firms in IP research and enforcement, to detect infringing content and scams, and to take all necessary legal actions.
One of the firms we’ve contracted has already initiated three Uniform Domain Name Dispute Resolution Policy (UNDRP) claims before the WIPO Arbitration and Mediation Center and has recently succeeded with the result that the infringing domain has been transferred to the Foundation. In parallel, during the last months we have analyzed 881 websites pages, 400 domains, 399 mobile and desktop applications, and 1187 social media listings, resulting in 2 websites, 24 domains, and 5 Social Media accounts being successfully taken down.
The security of Decentraland and its community is one of the Foundation’s most important goals. To that end, we will continue to not only act reactively when a threat appears, but also proactively, as we have reported to you today, so that you can continue to enjoy the experience Decentraland and its community has to offer.