$CROWN Exploit – Final Report

What happened

• On April 28, 2023, 18:13 UTC a “Crown Collateral” wallet was exploited for 5,101,056 $CROWN (Transaction), representing ~2% of the 250,000,000 supply
• The $CROWN funding / withdrawal services were halted immediately
• The exploiter dumped back all 5.1M $CROWN to the market within ~20 hours, eventually sending their profits in USDC here.
• No private keys, user data, or user funds were at risk or affected

Details About The Attack

Players in Photo Finish™ LIVE stake their $CROWN tokens on specific racetracks within the game’s ecosystem. When a player wants to stake on a track, they move their $CROWN from their own Solana wallet into a Photo Finish™ LIVE custodial wallet. To match these deposits, there is a collateral treasury of $CROWN, separate from the primary treasury to be available for player withdrawals. This wallet has been located here.

The attacker was able to continuously replay ‘deposit’ transactions to the game, thus tricking our server authority into giving them more and more credit against the treasury by withdrawing and re-depositing. To be clear, this wasn’t an exploit against our private keys or any web3 / Solana smart contract, but rather an exploit they discovered on our game server.  You can see the companion blockchain transactions from the exploited server requests below:

Actions Taken

1. Within minutes we were able to shut down these services, preventing roughly another ~1.8m from being withdrawn as the exploit was in progress. These services remain paused.
2. We offered the exploiter an over the counter deal to buy back the $CROWN and pay a bounty (to which they did not respond)
3. We are in touch with security teams in Web3 and Web2 space to perform third party audits of all of our systems.

Next Steps

The team at Third Time prides ourselves on safety and security, so to say we are disappointed and frustrated is an understatement. We take this extremely seriously and have been working around the clock to audit and review all of our core systems, internal and external. This exploit threw a bit of a wrench in our core economy and game design, so we’ve got 2 major objectives we’ve been working towards:

1. Re-Enable $CROWN staking for track ownership
2. Ensure that those staking PFP’s -> earning $CROWN are not diluted on their previously planned seasonal $DERBY rewards due to step 1

Before we get into our solutions, let’s do a quick lay of the land:

Season 1 – Mar 22 to Apr 23 – players mined ~3M $CROWN from staking their PFP’s. The allocation for this season was actually ~4.8M, so we have ~1.8M less $CROWN in circulation than originally planned.

Season 2 – Apr 24 to May 21 – we expect players will mine ~3.4M $CROWN from staking their PFP’s, leaving ~1.4M less $CROWN in circulation than originally planned. Alongside this, the incentives pool for racing is 4.23M $CROWN across all races. Based on current race fill rates it’s possible ~1M to ~2M less $CROWN will be in circulation than originally planned.

Season 3 – May 22 to June 12 – we expect players will mine ~3.7M $CROWN from staking their PFP’s, leaving ~1.1M less $CROWN in circulation than originally planned. With the retirement of many horses, we honestly aren’t quite sure how much of the 4.23M $CROWN is going to be earned from the race incentive pool.

As you can see from above, the game economy is somewhat self healing in that any overhang is eventually “made right” with continued emissions to engaged players and reduction in expected supply from those that aren’t. However, the way we look at this exploit is that it is our burden to bear, not something to pass down to the community.

$CROWN Staking

Since the exploit, we’ve been allowing players to request the ability to stake for Season 2 (the current season) via support tickets so we could get a decent idea of how much damage was caused. At this point, with only 1 day left in the open period, we have staking requests totaling 662,672 $CROWN. When we froze the current in-game $CROWN staking pool, the total stake was ~2.868M $CROWN. So, if all these $CROWN requests were accepted, we would have ~3.5M $CROWN staked, ~16% more than previously expected given the current PFP staking rate.

With all that being said, our plan of action is then as follows:

1. For Season 2, closing May 4, we are taking requests to manually whitelist any player that requests to stake their $CROWN through this form (note: if you’ve already requested via Discord support ticket, you do not need to request again). The service is still not open for automation while we go through deeper security audits, but the goal here is to not punish any player that purchased $CROWN during the exploit unknowingly or was holding it prior to the exploit. Your account will be specifically whitelisted to Fund and Stake $CROWN.
2. We will allow 3 more days of staking to get folks in, now closing the pool on May 7. 
3. Since allowing this to happen will affect the yield, we are committing to increase the seasonal $DERBY rewards proportionally to maintain the yield that was going to occur at 3M $CROWN (the total staking rewards from Season 1). So, for example, if 600,000 $DERBY ended up in the rewards pool for the track owners staking 3M $CROWN, we see a 0.2 DERBY per CROWN ratio. At that ratio, if an extra 500k $CROWN in the pool would mean an extra 100,000 $DERBY topped up. Remember, these numbers are purely an example – whatever the final tally of DERBY ends up being will be what determines the ratio.
4. For Season 3 and Season 4, we’ll do the exact same calculations, utilizing a PFP staking rate of 72%, and top up accordingly. After Season 4, the expectation is the economy will have naturally corrected the 5.1M overhang and there will not be more in $CROWN staking pools than originally planned.
5. Additionally, we are interested in discussing buy-backs with large-scale buyers if you are wanting to contribute to us getting supply back to the expected circulation more quickly. Reach out on discord via a support ticket if you are interested in a large trade OTC deal at size (with +10-15% return on your cost-basis) that the team can absorb and return to a locked pool.

Future Proofing

Third Time takes security very seriously. Every web3 wallet within Third Time is either multi-sig or hardware, and our internal network and systems are in progress on an in-depth audit to reach full SOC2 compliance. However, this obviously has heightened our paranoia and given us a renewed focus on preventing future attacks. We frankly crunched to get the game live and we missed this critical loophole in the process…which has shown us how important it is to slow down and be extra careful from this point forward. It’s not a Beta anymore.

During the initial shutdown of our services, we learned the severity of this exploit could have been drastically reduced if the $CROWN token had freeze authority. “Freeze Authority” is a not-well known or documented feature within spl-tokens on the Solana blockchain. If implemented, the team could have frozen the stolen tokens immediately in the exploiter’s wallet, effectively burning them in place, enabling the ability to mint more to top up the supply.

Alongside this, we have been wanting to build our own PFP staking site that is more tailor-made to our needs. This initiative might then be the trigger to mint a $CROWN 2.0 token with additional security. We’re early on this discussion, but wanted to share our thought process with the community. Outside of unstaking and restaking the PFP’s, this would be zero lift on the community, as we could airdrop exact amounts to all holders then switch all of our services to the new token with very little impact. We’ll be sure to keep you in the loop.

Summary

On April 28, 2023, the Crown Collateral wallet was exploited, resulting in the loss of 5,101,056 $CROWN tokens (~2% of the total supply). The exploiter quickly dumped these tokens back into the market. No private keys, user data, or user funds were affected. In response, Third Time has taken several measures, including pausing services, conducting security audits, and considering the implementation of a “Freeze Authority” feature. To address the impact on $CROWN staking, the team will proportionally increase seasonal $DERBY rewards to maintain yields and will extend the staking entry period. Third Time is committed to ensuring the safety and security of its users and will continue to work on improvements to protect against future attacks.