Full Report
The team behind the Henlo Kart product was working on publishing two public packages to NPM. They were worried about sensitive files, such as .env, containing deployment credentials, being leaked. This was done via the .gitignore file. For the initial deployment of two packages, this worked well. Later, an update to one of the packages was made - they wanted to exclude additional files from NPM. So, they created an .npmignore file to do this. Surprisingly, the presence of this file invalidated the .gitignore! This meant that the sensitive .env file was leaked. This contained a private key for the deployer account. After a few hours, they noticed the error. They attempted to revoke the package version, but this was not allowed because other packages they created depended on it. By the time they contacted NPM to remove the package, the damage was done - the key had been exposed. An attacker found it. The attacker took about 60ETH that was sitting in AAave. Additionally, they took control of the core Henlo contract, giving them the ability to mint new tokens. The team was able to recover some of the funds but the damage had been done. So, they rebranded the product and launched a new token from the previous snapshots. The attackers are real! This is a sad reminder of that. Good explanation of the attack and the failures though.
Analysis Summary
# Incident Report: Henlo Kart Private Key Leak and Smart Contract Compromise
## Executive Summary
On March 12, 2025, the Henlo Kart team accidentally leaked a `.env` file containing a deployer private key due to a configuration conflict between `.gitignore` and `.npmignore` files during an NPM package update. An attacker utilized the exposed credentials to drain approximately 60 ETH from Aave and seize control of the Henlo token contract. The incident resulted in a total loss of core contract integrity, necessitating a project rebrand and token relaunch.
## Incident Details
- **Discovery Date:** March 12, 2025
- **Incident Date:** March 12, 2025
- **Affected Organization:** Henlo Kart (Gaias Labs)
- **Sector:** Decentralized Finance (DeFi) / Web3 Gaming
- **Geography:** Undisclosed (Global/Remote)
## Timeline of Events
### Initial Access
- **Date/Time:** March 12, 2025
- **Vector:** Credential Leak via Public Repository Manager (NPM).
- **Details:** The team introduced an `.npmignore` file to the `@gaiaslabs/agentsmith` package. This inadvertently overrode the existing `.gitignore`, causing the `.env` file (containing the deployer private key) to be included in the public NPM registry.
### Lateral Movement
- **N/A:** The attacker used the leaked private key to gain direct administrative access to the deployer account, circumventing the need for traditional lateral movement within a network.
### Data Exfiltration/Impact
- **Financial Loss:** The attacker used a flash loan to facilitate the withdrawal of ~59.75 ETH from Aave.
- **Contract Exploit:** The attacker gained ownership of the Henlo token contract and minted ~435B tokens.
- **Additional Theft:** Theft of 1.85 ETH from a team smart contract and 8,000 USDC from a team wallet.
### Detection & Response
- **Discovery:** The team noticed the `.env` leak several hours after publication.
- **Immediate Response:** Attempted to unpublish the NPM packages, but failed due to NPM's dependency policies.
- **Support Request:** Contacted NPM support to manually remove the versions.
- **Professional Consultation:** Engaged whitehat experts to attempt fund recovery.
- **Containment:** Captured a snapshot of token holders and pulled 51 ETH in liquidity using a multisig to prevent further attacker arbitrage.
## Attack Methodology
- **Initial Access:** Public disclosure of sensitive credentials in a software registry (NPM).
- **Persistence:** Direct ownership of the core smart contract via the compromised deployer key.
- **Privilege Escalation:** Attacker assumed "Owner" permissions of the Henlo token contract.
- **Defense Evasion:** Use of flash loans to quickly extract value before the team could move funds.
- **Credential Access:** Accidental leakage of `.env` files.
- **Discovery:** Automated scanning of NPM registries for sensitive files (e.g., `.env`, `.pem`).
- **Lateral Movement:** N/A (Direct access to high-value keys).
- **Collection:** Identifying all contracts and pools associated with the compromised deployer address.
- **Exfiltration:** Transfer of ETH and USDC to attacker-controlled wallets.
- **Impact:** Complete loss of trust in the original Henlo token; unauthorized token minting.
## Impact Assessment
- **Financial:** Total loss of ~62 ETH and ~8,000 USDC, plus the devaluation of the Henlo token.
- **Data Breach:** Exposure of the deployer's private key.
- **Operational:** Total halt of the original token ecosystem; shift to rebranding and relaunching.
- **Reputational:** Public admission of critical operational security failures.
## Indicators of Compromise
- **File indicators:** `.env` file present in `@gaiaslabs/agentsmith` and `@gaiaslabs/henlo-kart` NPM packages (v. March 12).
- **Behavioral indicators:** Unauthorized `mint()` calls on the Henlo contract; unexpected `withdraw()` calls from Aave utilizing flash loans.
## Response Actions
- **Containment measures:** Removed 51 ETH in liquidity via multisig to protect remaining value.
- **Eradication steps:** Revocation of compromised ownership across various contracts (Agent Directory, OGs, etc.).
- **Recovery actions:** Secured 373 NFTs, Sudoswap pools, and Sablier streams with the help of advisors.
## Lessons Learned
- **Registry Behavior:** The team was unaware that `.npmignore` completely supersedes `.gitignore`.
- **Key Management:** Using a "hot" deployer key for contract ownership instead of a Multi-Signature (Multisig) wallet created a single point of failure.
- **Environment Handling:** Hardcoded or file-based secrets in directories intended for export are high-risk.
## Recommendations
- **Adopt Multisigs:** Move all contract ownership and high-value treasury management to Gnosis Safe or similar multisig solutions.
- **Secret Management:** Utilize environment variable managers (e.g., AWS Secrets Manager, HashiCorp Vault) rather than `.env` files in production build folders.
- **CI/CD Hardening:** Implement automated "Secret Scanning" (e.g., TruffleHog, GitHub Secret Scanning) to block deployments if a private key is detected.
- **NPM Best Practices:** Use the `files` field in `package.json` to "allow-list" files for publication, which is more secure than "deny-listing" via `.npmignore`.