Social token platform Roll, built to be an "infrastructure for social money" has been the subject of a USD$5.7 million attack. The platform sought to host a range of tokens to allow "creatives to launch and manage their own Ethereum blockchain based money systems". The hack has diminished the value of many of the tokens hosted.
The hacker reportedly gained access to the digital asset management platform MyCrypto's private keys for the Roll hot wallet. This means that the hacker could transact the tokens within that wallet at will, which they did and the tokens were swiftly sold. The hacker then quickly moved those funds into a mixer, which is a platform that obscures digital currency transactions often used by hackers to make it harder (but not impossible) to track transactions.
This kind of hack is a key risk of projects which rely upon 'hot wallets' - named as the private keys for the wallets are able to be obtained via internet access - rather than a 'cold wallet' which stores private keys entirely offline. Cold wallets are considerably more secure as it is inherently harder to obtain a private key which is not accessible via the internet.
The hacker is reported to have stolen "11 different social tokens, including $WHALE, $RARE, and $PICA" which subsequently plummeted in value. Coin Telegraph reported that:
As a result of the attack, the market cap of social tokens on the platform fell from $1.5 billion as of March 12 to $365 million ...
Roll has announced the creation of a $500,000 fund to help the creators affected by the hack but has not yet announced a refund to users despite acknowledging that "the attacker has already sold all the tokens."
Creator of the $WHALE toked reported that 2.17% of the token was compromised but the rest of the tokens are fully secured in cold storage.
This is an unfortunate lesson in security and that hot wallets, by their very nature, are more susceptible to hacks compared to sensible cold storage solutions.