On March 12th, 2025, the Henlo Kart team published two public packages on NPM, in preparation for releasing public documentation for the Henlo Kart game and the Agentsmith framework. At the time of publishing, the team ensured appropriate security measures were in place. Sensitive files, particularly the `.env` file containing private deployment credentials, were deliberately excluded from publishing through the use of a `.gitignore` file. When the initial version of the `@gaiaslabs/agentsmith` package was published, the team verified and confirmed that the `.env` file was not uploaded. Subsequently, the Henlo Kart package (`@gaiaslabs/henlo-kart`) was published, which also correctly excluded the `.env` file. At this point, all security measures appeared effective. A bit later, an update was required for the Agentsmith package to specifically exclude certain additional files from NPM, while keeping them visible in the public Git repository. To accomplish this, a new file called `.npmignore` was introduced. However, it was not clearly understood at the time that the presence of `.npmignore` would override and cancel out the existing `.gitignore`. As a result, the sensitive `.env` file, previously protected by `.gitignore`, was unintentionally published along with updated versions of both Agentsmith and Henlo Kart, as the packages were interdependent. Unfortunately, this oversight was not immediately identified. Several hours passed before the error was discovered, by which time the sensitive `.env` file, including the private key for the deployer account controlling critical team assets and contracts, had already been publicly exposed. Upon discovering the breach, the team promptly attempted to remove the affected packages from NPM. However, NPM policy prevents removal of packages when other packages depend on them, meaning neither compromised package could be unpublished due to their interdependency. The team quickly reached out to NPM's support for assistance, but it was already too late to prevent the exposure. In response, the team promptly initiated internal mitigation efforts, attempting to secure remaining assets without drawing public attention to the vulnerability. At this time, the team privately reached out to a professional team of whitehat experts in the space, to help recover funds. Despite these efforts, attempts to recover approximately 59.75 ETH stored in Aave were unsuccessful. Before the assets could be recovered, an attacker successfully exploited the situation by utilizing a flash loan to withdraw the funds. Additionally, the attacker seized control of the Henlo token contract, gaining the ability to mint new tokens freely. Following this attack, the team quickly collaborated with a group of Henlo Kart advisors to secure and recover remaining assets. Through their joint efforts, the team successfully recovered: - All team-owned NFTs (373 Onchain Gaia NFTs) - A Sudoswap liquidity pool containing 12 team NFTs and approximately 1 ETH - A Sablier payment stream containing ~12,000 USDC - Ownership of the Jackpot contract - Ownership of the Henlo Kart game contract - Ownership of the Agent Directory contract - Ownership of the OGs contract However, the attackers had already obtained: - Approximately 59.75 ETH stored on Aave (team funds) - Approximately 435B Henlo tokens (~$6,000 at the time) stored in a wallet intended for initial claims - Approximately 1.85 ETH stored in a team smart contract - Approximately 8,000 USDC stored in a wallet - Control over the Henlo token contract, enabling the attacker to mint additional tokens Due to the compromised ownership of the Henlo token contract, it became clear that the existing Henlo token was no longer viable. To safeguard remaining liquidity from further risk, a snapshot of token ownership percentages was captured. Subsequently, the team used team-controlled multisig tokens to remove 51 ETH worth of liquidity from the existing pool, preventing further exploitation by the attacker. This incident has revealed significant weaknesses in operational security procedures. The Henlo Kart team fully recognizes these shortcomings, specifically noting that critical operational practices, such as the handling of private keys and contract ownerships, should have adhered to higher security standards, including using multisignature wallets and improved protection of sensitive deployment keys. As a result, the team is committed to taking the necessary time to: * Implement new security measures and best practices to adhere to * Work on rebranding HENLO and work towards a relaunch of a completely new token with the same snapshot of ownership %'s * Continue work to improve the game and gameplay (as the team has been working tirelessly on these improvements for several months) The Henlo Kart team takes full responsibility for these security failures and sincerely apologizes to the community and all affected individuals. We acknowledge the severity of these errors, understand the harm caused, and deeply regret our failure to uphold proper operational security standards. We appreciate your continued support and patience as we work diligently to correct these mistakes, restore confidence, and strengthen the future of the Onchain Gaias ecosystem. Your continued support is greatly appreciated and highly valued. Please stay connected through official channels to receive important updates on the progress toward an exciting relaunch. t.me/henlokart x.com/henlokart Gaias forever ♥️