Launching Blockchain MonoX Finance said Wednesday that a hacker stole $31 million by exploiting a bug in the software the service uses to draft smart contracts.
The company uses a decentralized financial protocol called MonoX that allows users to transact digital currency tokens without some of the requirements of traditional exchanges. “Project owners can list their tokens without the burden of capital requirements and focus on using the funds to build the project instead of providing liquidity,” the public representative said. company MonoX written in November. “It works by grouping deposited tokens into a virtual pair with vCASH, to provide a unique token pool design.”
An accounting bug built into the company’s software allowed an attacker to increase the price of the MONO token and then use it to cash out all other sent tokens, MonoX Finance revealed in a post. Total amount up to $31 million worth of tokens on Ethereum or Polygon blockchains, both are supported by the MonoX protocol.
Specifically, the hack used the same token with both tokenIn and tokenOut, which are methods of exchanging the value of one token for another. MonoX updates the price after each swap by calculating a new price for both tokens. When the swap is complete, the price of tokenIn – i.e. the token submitted by the user – decreases and the price of tokenOut – or the token received by the user – increases.
By using the same token for both tokenIn and tokenOut, Hacker very high price increase of the MONO token because updating the token Out overwrote the price update of the In token. The hacker then exchanged this token for $31 million worth of tokens on the Ethereum and Polygon blockchains.
There is no practical reason to exchange tokens for the same token, and thus the software that executes the transaction should never allow such transactions. Alas, it did, despite receiving MonoX three security audits This year.
Pitfalls of smart contracts
Dan Guido, an expert on smart contract security, said: “These types of attacks often occur in smart contracts, because many developers do not follow the right process to identify the smart contracts. security attributes for their code. “They had audits, but if the audits only say that a smart person viewed the code for a certain amount of time, the results are of limited value. Smart contracts need verifiable proof that they do what you intended and only what you intended. That means identified security attributes and techniques are used to evaluate them”.
The CEO of security consulting firm Trail of Bits, Guido continued:
Most software claims to mitigate vulnerabilities. We proactively look for vulnerabilities, confirm they may be unsafe to use, and build systems to detect when they’re being exploited. Smart contracts require the removal of security holes. Software verification techniques are widely used to provide provable guarantees that contracts will work as intended. Most security problems in smart contracts arise when developers adopt the former security approach, instead of the latter. There are many large, complex, and high-value smart contracts and protocols that have avoided the crash, in addition to many that have been mined at launch.
Blockchain researcher Igor Igamberdiev put on twitter to break the makeup of the drained tokens. Tokens include $18.2 million in Ethereum wrapped, $10.5 in MATIC tokens, and $2 million worth of WBTC. Scale also includes a small amount of tokens for Wrapped Bitcoin, Chainlink, Unit Protocol, Aavegotchi, and Immutable X.
Only the latest DeFi hack
MonoX is not the only decentralized finance protocol to fall victim to a multi-million dollar hack. In October, Indexed Finance speak it lost around $16 million in a hack that exploited how it rebalanced stat pools. Earlier this month, blockchain analytics firm Elliptic speak The so-called DeFi protocol lost 12 billion dollars due to theft and fraud. Losses for about the first 10 months of this year amounted to $10.5 billion, up from $1.5 billion in 2020.
The relative immaturity of the underlying technology has allowed hackers to steal user funds, while liquidity pools have allowed criminals to launder criminal proceeds, the Elliptic report states. like ransomware and fraud”. “This is part of a broader trend in the exploitation of decentralized technologies for illicit purposes, which Elliptic calls DeCrime.”
