ParaSpace Team at Odds With Founder Over Missing Funds
ParaSpace, a decentralized NFT lending protocol, shared today that not all of the funds were returned from the exploit that occurred back in mid-March and resulted in 2,909 ETH being recovered. At the center of the controversy is ParaSpace founder, CEO, and CTO Ruan Yubo, who's been accused of misappropriating over 50% of the user funds that were recovered.
❗ Why It Matters
ParaSpace is one of the largest NFT Fi protocols and a place where many BAYC, MAYC, and BAKC holders stake their assets for $APE. Because over 50% of funds from the March exploit were unreturned, there are no longer enough available funds from the initial amount to cover the hole in the protocol treasury.
So this news is concerning on many levels, particularly after ParaSpace had already indicated in the aftermath of the exploit that "all user funds and assets on ParaSpace are safe and secure. No NFTs were compromised and financial losses to the protocol are minimal." Trust issues abound every day in this space...
🔙 Back It Up
On March 17, 2023, ParaSpace faced an exploit due to a vulnerability in one of ParaSpace’s smart contracts, which allowed the hacker to borrow additional tokens through a six-step process. Blockchain security infrastructure firm Blocksec initially flagged the issue before proceeding to intercept the hacker. The blackhat’s contract didn’t use enough gas, so the transaction failed. Blocksec recovered 2,909 ETH (~$5 million USD) and returned the funds to ParaSpace.
- In March, ParaSpace recovered $5M from the hack, but the team now claims Ruan kept over 50% of the user funds for himself.
- All user funds and assets are safe and cannot be accessed by Yubo.
- Ruan has allegedly refused to comply with the team’s requests to return the funds and step down from his roles as CEO and CTO.
19 team members (including COO Thomas Schmidt and Chief Business Officer Jay Yao) have accused founder and CEO/CTO Ruan Yubo (@yuboruan) of misappropriating the users’ funds in question. The funds are administered by an EOA wallet (0x909...) owning the names ruanyubo.eth and paraspaceinsurance.eth (which actually redirects to yubo.eth).
From these user funds, since the hack, over $1,000,000 USD has outflown to various unknown wallets as well as to CEXs and Circle redemptions. The remainder of the user funds, vulnerable to ETH price fluctuations, are deposited in a user-type account on ParaSpace itself, earning further interest from users.
The team secured the protocol’s multi-sig, and removed Ruan Yubo as well as any addresses not directly controlled by the team. Additionally, they've added 2 team member addresses, increased the required signatories from 2 to 4 out of 5, and removed Yubo’s access and any addresses not directly controlled by the team from emergency admin roles in the protocol.
🎤 Founder Feedback
Here is the on-chain transaction to completing the rest 10% of all repayment of the hacker's debt according to schedule. In the next 48 hours, I will be posting a full post-mortem of each transaction analysis, and absurd it is that it has been mischaracterized as misuse of user…— Yubo Ruan (@yuboruan) May 10, 2023
🎤 Community Quotes
TLDR on @ParaSpace_NFT I summarized it:— Starmowa (@0xStarmowa) May 10, 2023
1) Yubo took user funds intercepted by the whitehat Blocksec in the March flashloan exploit
2) He returned a portion of that user funds, but 1.2m USD worth of assets were not returned. This left a hole in the protocol.
3) A whistleblower…
🧠 Learn More
On the "ParaSpace Current Updates" Twitter Spaces earlier today, the ParaSpace team shared their knowledge of the situation, recovery efforts, and the current status.