VAIOT Official Post-Attack Statement and Next Steps 10.02.2022

Dear VAIOT Token holders,

The malicious attack which we experienced last Monday has left us with a single task, to ensure that we fully restore and recover both VAIOT day-to-day operations, our token holders’ trust and any assets lost in the attack.

Taking into account the complexity of the post-attack situation and the fact that the token issuance by VAIOT Limited (the ”Company” or “VAIOT”) is formally regulated, we need to handle this process in line with certain rules and guidelines and accordingly, our proposed recovery strategies are now undergoing assessments and discussions across relevant entities to make sure that token-holders’ interest will be secured.

The information on a proper and approved recovery strategy will be shared alongside with a relevant recovery plan which is expected next week.

In the meantime, we’ve gathered enough data to be able to share with you the details regarding the attack, assets lost in the attack and initial information on the reimbursement plan for all affected token holders.

Executive Summary

On Wednesday, January 31st, 2022, we discovered a malicious use of one of VAIOT’s operational wallets with access to admin privileges that controlled: VAI pre-staking pools, the VAI Ethereum Liquidity Pool, and the VAI Binance Smart Chain Liquidity Pool. The attackers managed to claim full ownership over these services and as a result, were able to steal and sell or block permanently:

1. VAI token rewards pool for the pre-staking services — all stolen rewards will be distributed to token holders invested in the pre-staking using company’s reserve pool. The rewards for pre-staking are still being accumulated and the total amount of rewards per token holder will be calculated through a script on 16 February 2022 which will effectively terminate the rewards accumulation period. Those rewards and your deposits will be distributed directly to your wallets or become available for claiming through the claim portal. The date of the distribution should be announced in the upcoming week.
2. VAI token deposits for pre-staking — token holders’ deposits were permanently blocked by the attackers within the compromised services meaning those deposits will be reimbursed to token holders alongside the pre-staking rewards (point (a) above) either directly to your wallets or via a claiming portal. The date of the distribution should be announced in the upcoming week.
3. VAI/ETH & VAI/BNB liquidity staking pools — all stolen VAI rewards and token holders’ assets (LP tokens) will be distributed to token holders invested in liquidity staking pools using company’s reserves. Company’s reserve ensures that all assets lost in the attack will be reimbursed in full. The rewards for both liquidity pools are still being accumulated and the total amount of rewards per token holder will be calculated through a script on 16 February 2022 which will effectively terminate the rewards accumulation period. Those rewards and your deposits will be distributed directly to your wallets or become available for claiming through the claim portal. The date of the distribution should be announced in the upcoming week.

The attackers have sold the majority of the stolen tokens which resulted in a steep drop in the VAI token price and a reduction in the liquidity of the token. Our team worked to secure the remaining wallets and services to prevent any further threats. An internal investigation was done, and the results were shared with CyberCrime Unit in Malta which is currently carrying out its own investigation. We’ve contacted our compliance advisors at Grant Thornton and the Malta Financial Services Authority with detailed reporting on the potential root causes and impact of this attack. VAIOT has identified two different strategies going forward which are being discussed with both our advisors and the competent regulatory and investigative authorities to ensure regulatory compliance is upheld on our side. We’ve already received a report from Coinfirm’s forensics team which was contracted to investigate the attack and locate stolen funds. Fortunately, certain technical limitations that led to the compromise allowing the attackers to take control over our pools have been overcome, and we will be able to take measures to increase our security protocols and prevent this from happening again. The implementation of the remediation plan will be closely monitored and audited by local auditors in Malta.

Who Was Impacted?

VAIOT company will be able to simply return any funds that were stolen to their rightful owners via a snapshot taken before the security breach happened. VAIOT’s number one priority is to protect token holders and assure them that their funds will be returned. The direct financial damage will strictly affect the VAIOT company. We are currently in a position where we must wait for regulatory clearances on the options we presented before we are able to move forward with a recovery plan for our major services.

VAIOT’s daily development continues

The malicious attack does not change VAIOT’s priorities in terms of software and business development. VAIOT’s testnet is still fully operational providing us with valuable data outputs and our mainnet is still being developed with Easy Contracts Assistant envisaged for the upcoming dev sprints as well. Our business development team continues to work on the commercial deals and exciting partnerships to ensure Intelligent Contracts’ implementation into several processes and projects.

What Was the Impact?

The impact on the VAIOT company was heavy, but manageable. Fortunately, VAIOT has the support of our incredible backers and will be capable of returning both lost VAI tokens via our contingency treasury as well as replenish the liquidity that was lost in the attack. We have lost control over the three impacted pools and will need to recover them based on new, amended security policies. The replenishment of all affected pools and services will be explained as part of the Recovery Plan.

Summary of stolen or blocked assets (all subject to reimbursement):

1. Pre-staking rewards pool (both rewards to be distributed and future rewards pool) — 3 184 927 VAI tokens stolen
2. Pre-staking deposits — 8 968 234.18 VAI tokens blocked permanently (not in the possession of the attacker)
3. ETH (both company-owned and token holder owned liquidity) — 88.98 ETH stolen or blocked
4. VAI (both company-owned and token holder owned liquidity in BSC and ETH pols) — 1 991 396.45 VAI stolen or blocked
5. BNB (both company-owned and token holder owned liquidity) — 163.61 BNB stolen or blocked
6. VAI LP Staking rewards (both rewards to be distributed and future rewards pool) — 564 073 VAI stolen or blocked

All lost funds and assets will be reimbursed using Company’s reserves.

Next Steps

First, VAIOT will focus on providing token holders with reimbursements. All assets lost in the attack will be either delivered directly to your wallets or will be available through a claim portal. The Company will first reimburse token holders’ who lost LP tokens (VAI, ETH and/or BNB) as part of the liquidity pools. The exact date of an airdrop or claim portal opening for LP Tokens will be shared in the upcoming week. Reimbursements of VAI deposits and rewards will follow.

For the Services Recovery Plan, VAIOT has identified two options that present different advantages and disadvantages following the attack. We wanted to provide a road to recovery for the regulator to review and understand our long-term vision. The information on the selected option will be shared once a decision based on regulator’s feedback is made.

In the meantime, VAIOT will continue working with Coinfirm and local authorities to ensure that the full investigation is concluded. Until our services are fully operational the options for deposits and withdrawals are deactivated.

In solidarity with the community, the VAIOT team has committed to delay the first team token unlock (effectively delaying the whole team vesting) by 3 months. We are determined to overcome this low point and bounce back as strong as possible ahead of our mainnet. Once the major discussions around the investigation and recovery are finalized we will commit to regular live discussions with updates about the project. We want to reassure the community that this attack made us even more determined to ensure VAIOT’s success and as a result the well-being of our token holders.

With this update we will be slowly returning to “business as usual” operations in terms of our communication and marketing, striking a balance between constant updates about the reimbursements and recovery plan and regular product development and project updates.

We would like to extend a massive thank you to our supporters for their patience and understanding through this entire process.

With care,

The VAIOT Team

The VAIOT Website, Platforms, Solutions, and Services, and in particular VAI Tokens, are not offered for use and purchase to natural and legal persons having their permanent residence or their seat of incorporation in any of the restricted areas as listed in VAIOT’s Whitepaper, in particular: USA, Germany, Puerto Rico, US Virgin Islands, Canada, China, Singapore, Afghanistan, Central African Republic, Cuba, Democratic Republic of the Congo, Eritrea, Iran, Iraq, Libya, North and South Korea, Somalia, South Sudan, Sudan, Yemen, Zambia (Restricted Areas).