On Friday, 13th Sept our Ape and Value Average programs were force closed. We’ve since deployed new versions of these programs, and also refunded the old balances to the users.
All users should have your balances restored, and also functionality of both programs are restored. If you have any questions, please feel free to contact us on Discord.
We are deeply apologetic for the inconvenience and any worries this might cause our users.
For full transparency, we would like to explain what happened:
What Happened
On Friday afternoon, an unauthorised party gained access to the wallet with upgrade authority for our newer Ape and Value Average programs. The third party deleted both programs on-chain, which led to us having to re-deploy the programs.
First, we immediately ascertained that there were no more potential vulnerabilities, restored user balances,and spent all the time in the last 48 hours making sure our users are fine and attending to support tickets. In addition, we worked with our auditor, Offside Labs, to make sure there are no other potential issues.
Operational Lapse
Our practice is to have all programs audited and migrated to a multisig before going live on production. In this case, the Ape and Value Average programs are audited but due to an operational lapse, the lead engineer didn’t migrate these programs to a multisig.
Read Defiracer’s account here.
Isolated Incident
This was an isolated operational lapse involving only the newer VA and Ape programs.
All other Jupiter programs have the upgrade authority secured by a multisig. For example, our Perps program has always been under a multisig, while being audited 3 times by Offside, Ottersec and Sec3, and now undergoing a fourth audit by Neodyme.
Action Plan
We’ve since restored functionality by re-deploying new versions of Ape and Value Average, and also transferred the program authority to a multisig.
For balances in the old Value Average, we’ve sent the tokens directly to the users in your wallets, 1:1 for the 454 different tokens that were deposited into VA.
Check your wallet if you have pending VAs open. The transaction also includes a memo with the old VA order ID, allowing you to cross-refer and check to make sure that you received the correct number of tokens.
For balances in Ape, we’ve reinitialized new Ape Vaults for you, and also deposited the tokens, matching closely to your old Ape balances. For some tokens which are no-longer tradable, we are unable to send the tokens into the new address.
We’ve done our best to match the balances as much as we can, based on market conditions like tokens no longer being tradable. If you want to verify your balance or ask questions, feel free to open tickets in Discord.
Future Practices
Going forward, we will ensure that all programs will be transferred to a diverse multisig before any user can start interacting with it. This will ensure that this incident will not happen again.
