Greetings, Formation Fi Community, supporters, investors, and friends.

As you may know, Crypto is a beautiful space with an abundance of opportunities, but with this comes a set of challenges that everyone has to overcome, predominantly with regards to security. We all do our best to ensure we are secure, from protecting our seed phrases to using software to ensure our devices are clean and encrypted, but every now and then something goes wrong.

On Saturday 20th November 2021, an attacker used an exploit on our network, and whilst our team reacted swiftly and effectively, Some rewards from the liquidity pool were stolen.

We would like to reassure you that no investor funds, wallets or any information was affected, this was an exploit using a flash-loan only affecting the rewards pool.

As a result of this, we had to disable parts of the platform to stop the attack. We are sorry for not communicating this effectively, but we had to act fast and stay ahead of the attacker.

Services are now being restored.

We would like to formally apologise for the lack of communication between us and yourselves.

Please know that this was not done purposefully or negligently, but as a result of having every available member of our team on Red Alert; protecting our network, patching our network, and ensuring the safety of your funds and your trust in us, as it was, and always will be, our top priority.

We know how frustrating this can be, and we hope you will show understanding that every effort was made to ensure the safety of your funds first and foremost.

We’d also like to take a moment to show our gratitude to Steve Woody and Matthew Fitzgerald for helping to bridge the communications gap between us; a tired and passionate team of developers, and you; our community who have put their trust in our platform.

When a hacker attempts to destroy and ruin a project that we have dedicated so much time and sleepless nights to, and threatens our ability to better serve you all, we can assure you that we do not take this lying down.

As a result, we are pleased to announce that through our actions and the quick response from the dev team, we have identified the vulnerability and have been working hard to rectify and reinforce our systems and networks so that this never happens again.

In the interests of full transparency, please see details of the exploit below:

Exploit type:

Flash Swap vulnerability

Contracts affected:

BSC

0xe2ee850d72d02b3D827b98847d332aDD0d3f0012

ETH

0x62931dEce3411Ada1038C09cD01bAa11dB08334B

Root cause:

Farming contract has been using the balance of the pool for price discovery of the FORM token and LP token in order to calculate USD (stable coin) value of the position and pay rewards accordingly.

function getRewardsValueInForm(uint256 amount) private view returns(uint256) {

uint256 formTokenBalance = formToken.balanceOf(address(lpToken));

uint256 stableCoinBalance = stableToken.balanceOf(address(lpToken));

uint256 formPrice = (stableCoinBalance * ONE_ETH) / formTokenBalance;

uint256 rewardInForm = (amount * ONE_ETH) / formPrice;

return rewardInForm;}

Flash Swap mechanism allows to alter the price of the FORM token — the exploit contract used that in order to excessively increase the value of the reward calculated at the withdrawal transaction.

The exploit has a following order:

1. Stake LP token (transaction 1)

2. Pull available funds from the pool (alter the price of FORM token), unstake LP token and send back funds to the pool. (transaction 2)

We were able to prevent this from happening by setting the multiplier to 0, which makes the contract send no FORMs for any new staked LP tokens.

Our dev team is currently working on V3 that will address the issues identified. Until the V3 is released, for your protection, all reward pools and cross-chain swap have be disabled until further notice.

Rest assured, this is not a huge issue as our team caught the attacker early and the loss was negligible, network hardening has been implemented and a solution is being deployed.

We have learned a great deal from this attack; not only are our team fully prepared at such short notice to defend and repair exploits, but our existing defenses surpassed expectations during the execution of the attack, allowing us to mitigate damages to a minimum.

We feel that this is a learning experience for all of us.

The lessons we learned from this experience will prepare us to take significantly stronger measures to galvanise our defenses in preparation for the launch of Alpha and will continue to do so.

Once again, thank you to our amazing community for their continued support, and we’ll see you all very soon with some very exciting news…

• FormationFi Team