Two weeks ago, after three software audits and three months of field testing, a cryptocurrency startup called MonoX launched what it described “Monoswap, the premier guided decentralized exchange”.
In the announcement on November 23, 2021, Company announced:
MonoX will completely change the DeFi ecosystem by fixing the capital efficiency of the current protocol model. With the launch of lower transaction fees, capital efficiency and zero capital tokens-MonoX will expand the capabilities of DeFi.
As you may know, DeFi is an acronym for the term (or, for our strict language, its ellipsis) Decentralized finance, Usually used to refer to electronic transactions that do not rely on any single company or government department for record keeping.
By using a distributed ledger, called Blockchain, A community-run bookkeeping company in which transactions are reached and recorded through consensus, and encrypted currencies and digital contracts do not need to be managed by a single institution such as a central bank or payment card company.
Therefore, blockchain technology has brought many opportunities, just as you undoubtedly Why not invest now in our brand new cryptocurrency trading $ Emails captured by spam filters these days.
There are still many risks, because MonoX was discovered almost when it went online last month.
Despite the audit and testing, MonoX seems to have made an interesting mistake in how it handles balance changes during the transaction.
This has obviously caused the startup to lose a huge amount of US$31,000,000, thanks to a series of automated malicious transactions that the company did not expect, and therefore did not program these transactions.
Pay oneself to think it is harmful
As far as we can see, if you transfer value from one of your MonoX cryptocurrencies, it will trigger a software defect that MonoX ignores…
…Back to yourself, a bit like bank transfer directly from your own account to your own account.
You would imagine that your formal bank would prevent you from doing such things on the grounds that it would [a] Meaningless and [b] It may be a mistake.
If you are absolutely determined to do this anyway, perhaps to record large deposits so that your business looks busier than it actually is, you can always try to do it as two separate transactions.
For example, you can withdraw $100 in cash from the teller, then join the back of the queue and pay $100 directly, assuming you are willing to accept a moderate overall loss of any withdrawal and deposit fees that may apply.
These days, you want your balance to be reduced by $100 immediately after the withdrawal, and of course you want to return to the cashier to pay the $100 before the previous trade fair has passed.
Even if this does not happen, you still want to see two transactions in your statement in the end, in the order in which you made the transactions: pay more than $100, and then pay less than $100.
However, you don’t expect (especially because if you let people get away with it, your bank won’t continue to operate) If you can process the second transaction fast enough Then it will completely cover the first transaction, allowing your account to deposit a deposit of $100, but there is no record of the previous withdrawal.
Below waterline
Sadly, what seems to be the thing described above MonoX boat with holes Below the waterline:
The vulnerability is caused by a smart contract error that allows the same tokens to be sold and purchased. In the case of an attack, it is our native MONO token. When an exchange occurs and tokenIn is the same as tokenOut, the contract allows the transaction.
Any price updates from tokenIn and tokenOut are independently verified by the contract. Since the tokenOut was finally verified, this caused the price of MONO to rise sharply. The attacker then used the high price MONO to buy all other assets in our pool and depleted the funds.
The explanation is not entirely clear, maybe because English is not the author’s first language, but it does sound as if the “smart contract” code is like this:
As you can see, if the above code does not work tokenIn with tokenOut Refer to the same account because the last two lines become:
The deduction in the first line is immediately used to cancel the variable assignment that affects the payment in the second line, so you (amount - fee) Cryptocurrency.
You should end up with an overall result (amount - amount - 2*fee), Which reduces to debit (2*fee) – One withdrawal fee; the other for deposits-as you would expect.
According to MonoX, some of the funds obtained in this way have been pushed through so-called tumblers or trading mixers, presumably in an attempt to disguise their origin so that they can be used again without raising suspicion.
What’s next?
Perhaps inspired by the recent $600 million Poly Networks hack, the company somehow managed to attract the perpetrators so well that most of the funds were returned. MonoX said it has “[t]Attempting to contact the attacker by submitting a message on the ETH mainnet to initiate a dialogue.”
In other words, the MonoX team used the comment field in Ethereum transactions as a way to request funds to be recovered.
MonoX also stated that it “A formal police report will be submitted”, Although it is unclear whether this has already happened.
We speculate that if the matter is now in the hands of the police, this may complicate MonoX’s negotiations with the perpetrators.
Indeed, the next question is, “Did the attacker really break the law?”
In some jurisdictions, deliberate use of software errors to circumvent protection or achieve results that are clearly inconsistent with expected behavior may expose you to criminal or civil litigation.
Google discovered this as early as 2012, when it was fined for secretly bypassing the anti-tracking protection of Apple’s Safari browser.
In addition, in many (if not most) countries, you should report and refund any bank deposits that are clearly not suitable for you, rather than being allowed to profit from the bank’s mistakes.
But the whole significance of DeFi lies in its decentralized, freewheeling, liberal, and unsupervised nature.
Therefore, as non-lawyers, we have no idea what the regulatory situation might be in this case, if we do find out which jurisdictions and which regulations will apply anyway.
what do you think? Tell us in the comments (you can remain anonymous if you wish)…
