RCA: Accidental Deployment of "Hey" Tokens on Clanker

31 Oct, 2025

On October 31, 2025, two unintended "Hey" tokens were deployed on Clanker.world under the wallet yoginth.eth. These deployments caused public confusion and trading activity, as they appeared linked to the official Hey.xyz project.

After investigation, all test tokens were burned, and 6.3 ETH in liquidity provider fees were fully refunded to affected users.

Background

At my home office, I share a development computer with a co-worker who also contributes to Hey.xyz. While exploring the Clanker platform for testing, he accidentally connected to my yoginth.eth wallet instead of his test wallet and deployed two "Hey" tokens.

Since the deployments appeared publicly under my ENS name, users assumed they were official tokens from me or the Hey.xyz project. This led to trading and liquidity provision on the platform.

Impact

• Two unauthorized tokens named "Hey" were deployed.
• Test tokens were minted and distributed, creating additional confusion.
• Users began adding liquidity and trading under the assumption of official backing.
• Temporary reputational risk due to association with my ENS identity.

Immediate Actions Taken

Upon discovering the issue, I acted immediately:

• Burned all unintended tokens by transferring them to the 0x0000 address.
• Transferred all tokens to a backup wallet to prevent any potential asset loss.
• Collected all contract fees to prevent misuse.
• Conducted a full-day investigation into wallet activity and transaction history.
• Confirmed that the deployments were accidental and not malicious.

Root Cause

The issue stemmed from human error during testing:

• Shared workstation led to a wallet mix-up.
• Clanker interface allowed quick deployment without ownership verification.
• Lack of strict separation between production and testing environments.

Resolution

After verifying all details, a total of 6.3 ETH was refunded to all liquidity providers.

Refund transactions (Mainnet Chain)

• 2.9 ETH - 0x32a2bc4e299abe3d35a55068301411f2c0a1a42f82b6ac4e6960c36f8fca9ebe
• 1.4 ETH - 0x484b576829bb444c751abd2641c5bdaf7e57b9125d5ffaa16debaa4e0954ca0b
• 1.8 ETH - 0x962c1dcf349def852f5d0f3c65b862d5fbf6f2b066f67613cce0d03955d74698c
• 0.2 ETH - 0xe19d6516d4ea4f64f43b54d2fbc710b0287b6bc173cd9f9d5b2461d9e3ff09ed

All affected users have been fully reimbursed.

Reward Claim Transactions (Base Chain)

Below are all claim transactions collected on the Base chain.

The ETH values shown are actual claim amounts, and any difference was covered from Hey Pro’s revenue.

• 0.001 ETH - 0x1503b43a624a81f084c8f9d04d46f1c11b7e4cdf59ac66c7c0f443765a84b9f9
• 0.001 ETH - 0x6308cf1402dda856cf7eedcc5805791848e8f85d564bb76f80d67c5e37704a12
• 0.011 ETH - 0x031e7f421d5d1ddc83ca15c156817e4fd5a50602e3622b11bbd6e47f797d643e
• 0.006 ETH - 0x3d5a5303167b73a9527bf360238d985f855194b625b5189c3e68da6a979ba228
• 0.004 ETH - 0xa83d22f05a0b5dd765db3881834e3f9994d2b83c13ef724eaaaa76893cbbabe1
• 0.013 ETH - 0x4105fbde554a7028a691a957db1061c8dd7b55f911d76acf136e7e31dfc93103
• 0.017 ETH - 0x2ca2c6b721f9e10ed2540d1baa89b628d66ca07af039b144a0888deae123c822
• 0.027 ETH - 0x28a71314b5a81d0ea14eea549cedca12ab377c643b4df018706e240b6a9c962a
• 0.032 ETH - 0xc99565877d4831f48f5a21ff0e8f05d1a9d882bf66214ccc1e8e8149bda2ee8f
• 0.204 ETH - 0x6142e80c8a540e42143994a18bc034c115f390341ba3cb2156b1c1b778669a4f
• 0.849 ETH - 0x059b3e414f6095e999b8c122becc3aba77baab0e1f77acbf929f602a2e5cf799
• 0.572 ETH - 0x6a9146271b3116c85873ef3d828480756b02bbb218ee358d00fbadad3e7b0e78
• 1.222 ETH - 0xc25e5eb1da9bc5a5e9b77e42e1c3c1e33889333208ef679ca420b9e3c8b93616
• 0.294 ETH - 0x9199ff4fc24f12c41064c87b35839b48dcca9c888a15100f04066ac3c2a05d4d
• 0.509 ETH - 0xd8bbbd62fddd13a23efefda75519e5de61573d38377b978ea7bf7b1b0d202c16
• 2.223 ETH - 0x66a7f5f8eea2725f711a9ab7b47ebcc069136f47c3e7064aa187b0a4d07afb80

Preventive Measures

To prevent such incidents in the future:

• Dedicated Wallets: Each contributor now uses separate wallets for testing and production.
• Access Controls: Shared devices will no longer hold wallet access.
• Deployment Verification: Every token deployment will pass through an internal verification checklist.
• Awareness: All contributors have been reminded about ENS visibility and testing safeguards.

Closing Note

This incident was an unintentional mistake in a shared environment, not a malicious action. All affected parties have been fully refunded, and additional security measures are now in place.

Transparency and accountability remain top priorities, and this post serves as both documentation and a continued commitment to maintaining trust.

Subscribe to my blog