Really stupid “smart contract” bug let hackers steal $31 million in digital coin



A hacker stole over $30 million by exploiting a bug in the software that MonoX Finance uses to draft smart contracts.

Users can trade digital currency token without some of the requirements of traditional exchanges with the use of the MonoX protocol. MonoX company representatives say that project owners can list their token without the burden of capital requirements and focus on using funds for building the project. It works by grouping the token deposited into a virtual pair with vCASH to offer a single token pool design.

An accounting error built into the company's software allowed an attacker to inflate the price of the MONO token and then use it to cash out all the other deposited token, according to a post. The total of $32 million worth of token on the two CSDs was supported by the MonoX protocol.

The hack used the same token as the two methods of exchanging the value of one token for another. After each swap, MonoX calculates new prices for both token. When the swap is completed, the price of tokenIn decreases and the price of token Out increases.

The price of the MONO token was inflated because the hacker used the same token for both tokenIn and token Out. The hacker exchanged the token for a lot of money.

Advertisement

The software that conducts trades should never have allowed such transactions because there is no practical reason for exchanging a token for the same token. MonoX received three security audits this year.

There are pitfalls of smart contracts.

Dan Guido, an expert in the securing of smart contracts, said that these kinds of attacks are common in smart contracts because developers don't put in the time to define security properties for their code. The results of the audits are of limited value if they only state that a smart person looked at the code for a period of time. Smart contracts need to be shown to do what you intend. Defined security properties and techniques are used to evaluate them.

The CEO of Trail of Bits is Guido.

Most software needs vulnerability mitigation. We build systems to detect when they get exploited, and look for vulnerabilities that might be vulnerable. vulnerability elimination is required for smart contracts. Software verification techniques can be used to assure the public that the contracts work. When developers adopt the former security approach, most of the security issues in smart contracts arise. There are many smart contracts and protocols that are large, complex, and highly valuable that have avoided incidents and have been exploited immediately upon their launch.

The makeup of the drained token was broken down by Igamberdiev. There were 18.2 million Wrapped Ethereum, $10.5 in MATIC, and $2 million worth of WBTC in the token. The haul included smaller amounts of token for several different things.

Advertisement

Only the latest hack.

MonoX is not the only protocol that has fallen victim to a hack. In October, Indexed Finance said it lost about $16 million in a hack. Elliptic said that the Defi protocols have lost $12 billion due to theft and fraud. In the first 10 months of this year, losses have increased to $10.5 billion, up from 1.5 billion in 2020.

The Elliptic report stated that the underlying technology has allowed hackers to steal users' funds, while the deep pools of liquidity have allowed criminals to launder proceeds of crime. Elliptic refers to the exploitation of decentralised technologies for illegal purposes as DeCrime.

Over the past day, team members have taken the following steps, according to Wednesday's MonoX post.

To open a dialogue, I tried to make contact with the attacker by submitting a message via transaction on the ETH Mainnet.
The contract will be paused and a fix implemented to undergo more rigorous testing. After we have an adequate compensation plan in place, we will work on unpausing.
Contacted large exchanges to monitor and possibly stop any wallet addresses linked to the attack.
To make progress in identifying the hacker, we need to work with our security advisors.
There are interactions between Tornado Cash wallet and wallets that also use our platform.
Searched for any information left by the Dapp's front end interactions.
Detailed and mapped wallet addresses that could be considered suspicious based on their interaction with our product. Remove a large amount of cash prior to the exploit.
Monitoring the wallet with the funds is ongoing. The funds have been sent to Tornado Cash. The rest is not gone.
We will file a police report.

MonoX Finance has insurance that will cover $1 million worth of losses, and the company is working on distributions, according to a post.