Dear Hathorpay Community,

Thank you for your patience during our code security audit these last few weeks.

The audit is now complete and we have discovered the source of the vulnerability affecting Hathorpay users (exclusively). 

The official Hathor wallets and Exchange wallets do not appear to have any issues.

The vulnerability allowed an attacker to decrypt the user's seed phrase stored in the browser memory via means of phishing and infected link or content. We have not yet identified which website, content, or phishing link the attacker used to exploit this vulnerability. For this reason, we strongly recommend not using Hathorpay anymore until this is addressed and a new patched and open source version is released. We will be delisting Hathorpay from the Chrome store for the time being (as per the Hathorpay User License Agreement) until a fixed version is available. Our team is now working with the third-party engineering team that conducted the code audit to estimate the work to perform the fixes to the existing wallet code.

Since our team is a bootstrapped team with a limited budget for development and operations, we have no means of rescuing users who have been impacted by this vulnerability. Over the last 18 months, we’ve spent significant sums learning and building on the network as community members. As a result, this critical issue has greatly impacted our scheduled roadmap and has set us back by months of development/efforts/budget. Furthermore, members of our own team have been impacted by this same vulnerability. We understand how unpleasant this is to read as a user who trusted our service to be bug-free. We understand that this impacts the technical integrity of any future releases of Hathorpay.

As you may know, building on a new blockchain with no prior similar solutions to model after incurs its own set of risks.  Going forward, any work done by our team will undergo more than one code audit before launch - as this seems to be a necessary practice when building on such a novel blockchain network. Beyond that, our tech team will be revised based on suboptimal outcomes over the last 18 months when it comes to launching production-ready defi solutions on Hathor. Building on EVM chains is not at all the same as building on UXTO chains, and we’ve come to learn this the hard way.

Plan going forward

We currently have to put all of our development efforts on pause due to budget constraints caused by this setback. We will seek grants to help fund development of a new version, but cannot make any promises at this time. If we do and a new stable version is released, it would be fully open sourced free day 1 to become a community project. In such a case, we would only oversee development of the open sourced version.

Conclusion

Our team apologizes for this incident and will ensure to complete code audits with multiple firms on any potential new product release.

Update: Hathorpay has ceased operations and the project is no longer active in any way.