We appreciate our community’s support and trust during this time, as we work to resolve our recent incident. As a brief overview of our plans going forward, we will be able to restore the $NUMA token price this week. Simultaneously, we are currently working with our auditor, Sherlock, to apply the necessary fixes to our codebase in preparation for the Sonic launch. Lending will reopen on Arbitrum after the Sonic launch. Further details are outlined below.

Details on what happened

The user employed a very sophisticated and targeted method to manipulate the price of the $NUMA token, while simultaneously opening large short and long positions, removing deposited collateral by liquidating themselves, and exiting through the vault. Two main addresses were used in this process: (1) 0xC16aa4f009F92Beb48e5072D2CA432Eee03dCd9C and (2) 0x8594a25d20aef0e507c1cbe06cc8284be7ea5da1.

The basic steps were as follows:

1. Address #1 flashloaned 3,760 rETH and 631,422 $NUMA from external sources.

2. Address #1 deposited 3,760 rETH to the numa protocol and minted the equivalent in crETH.

3. Address #1 borrowed 3,626,482 $NUMA from the numa protocol and transferred them to address #2. These $NUMA deposited to mint 3,626,482 on address #2, and this process was repeated five times.

4. Address #1 borrowed another 3,626,482 $NUMA from the numa protocol and sold them into the vault for 312 rETH.

5. Address #1 redeemed 1,080 rETH of their deposited collateral from step 1.

6. Address #1 directly deposited (donated) 150 rETH to the numa vault, so that the $NUMA token price increases and their initial borrow is liquidatable.

7. Address #1 bought 85,511 $NUMA tokens from the vault.

8. Address #1 transferred to 631,422 $NUMA token to address #2.

9. Address #2 repeatedly liquidates address #1’s position and redeems $NUMA tokens from #1’s cNUMA position from step 3. This was done 26 times, so that 2,680 rETH remaining in collateral is retrieved.

10. Address #2 borrowed the remaining 131 rETH from their deposits.

The primary methods used:

1. The donation to manipulate the price of $NUMA.

2. The ability to borrow more than the existing supply of $NUMA.

3. Borrowing $NUMA.

How was it discovered and how was it stopped?

As previously mentioned, the manipulation was discovered approximately an hour after it was executed. Drew was working on UI updates in preparation for Sonic launch and noticed a sudden price increase on the $NUMA token and notified the team and auditors to start investigating. Fortunately—and as designed—the protocol has safeguards in place that halted the user’s actions before they could get any worse. As a safety measure, the protocol only allows a certain percentage of the vault value to be borrowed, and this prevented any additional funds from being extracted.

Arbitrum remediation

As noted, remediating the current situation involves restoring the $NUMA token price to pre-manipulation levels: price recovery will be accomplished within about a week. In short, users will be made whole and the remaining missing funds will be rectified by the protocol and team.

In total, 3,626,482 $NUMA of collateral were extracted from the protocol; these funds represent collateral deposits for those who have taken out loans. Of the 3,626,482 $NUMA, 2,132,994 represent collateral owned by the protocol itself, team members, and partners. This means that the 1,493,488 $NUMA are owed to “external” users.

To remedy this situation, the numa protocol will deposit the existing vault rewards of approximately 35 rETH. Additionally, the protocol has received a contribution of $100,000 from outside sources, which will also be deposited to the vault. Prior to the manipulation, the $NUMA vault sell price was 0.00008612 rETH (~15¢ at the time); currently, the $NUMA vault sell price is 0.000035391 rETH (~6¢ at the time of the incident). This represents a reduction in price by approximately 60%. Depositing the $100,000 and 35 rETH will raise the $NUMA price to approximately 0.0000557 rETH (~11¢ at current prices).

The remaining gap of approximately 0.0000304 rETH or ~4¢ will be remedied by essentially writing off the debt owed to the collateral, team, and partners. This will bring the price up to the pre-incident value of 0.00008612 rETH. Essentially, the team won’t bother to make themselves whole, so that users can be made whole. It is most important to us that the community understands our level of commitment and dedication to restoring trust.

As noted above, the Arbitrum lending protocol will reopen after the Sonic launch; in the meantime, the vault will remain open. We have a detailed plan for reopening lending on Arbitrum, but it will take more time than simply applying fixes to our existing codebase and launching on Sonic, since we must carefully log existing user positions, recreate them, and redeploy the contracts. As a result, the protocol has decided that it is better to move forward with the Sonic launch, while simultaneously deploying additional resources to work on the Arbitrum reopening.

Changes to code before Sonic launch

In order to launch on Sonic, we will make some changes to our codebase and have them reviewed by Sherlock. The main change that will be made is simply to turn off the ability to short $NUMA. This is all that is required to launch on Sonic and the only fix we will be pursuing in the short-term. If we choose to enable shorts in the future, then we will also need to limit the amount of $NUMA which can be borrowed to the current circulating supply and also block the ability to donate directly to the vault.

The process will involve applying the fixes, getting them reviewed by Sherlock, deploying the new contracts, and integrating the UI. We expect to launch on Sonic towards the end of May, and we remain optimistic and excited about its potential. Further updates will come over the coming weeks.

Future rollout

To recap, we will move forward with the Sonic launch, while simultaneously working to reopen Arbitrum. We expect the Sonic launch towards the end of May. After this is successful, reopening lending on Arbitrum should follow shortly after, while we move towards launching on subsequent EVM-chains.

Lastly, Drew will be conducting an AMA next week to answer questions related to the incident and our future plans. Please submit your questions to the Google Form here by this Friday, May 2nd at 12:00PM UTC. The AMA will be conducted as an X Space and will be announced on Monday. As always, we greatly appreciate the community’s support and trust during this time. We look forward to our upcoming updates and releases.