Blockchain startup MonoX Finance said on Wednesday that a hacker stole $31 million by exploiting a software bug in the service used to draft smart contracts.
The company uses a decentralized financial protocol called MonoX, which allows users to trade digital currency tokens without some of the requirements of traditional exchanges. “Project owners can list their tokens without a capital requirement and focus on using the funds to build the project instead of providing liquidity,” a representative of MonoX Say here“Its working principle is to combine the deposited tokens and vCASH into a virtual pair to provide a single token pool design.”
The accounting errors built into the company’s software allowed attackers to inflate the price of MONO tokens and then use it to cash out all other deposited tokens, MonoX Finance Revealed in the post. A total of 31 million USD worth of tokens on the Ethereum or Polygon blockchain, both of which are supported by the MonoX protocol.
Specifically, the hacker used the same tokens as tokenIn and tokenOut, which are methods of exchanging the value of one token for another token. MonoX updates the price after each exchange by calculating the new price of the two tokens. When the exchange is complete, the price of tokenIn—that is, the token sent by the user—decreases, and the price of tokenOut—or the token received by the user—increases.
By using the same token for tokenIn and tokenOut, hackers greatly exaggerated the price of MONO tokens because the update of tokenOut covers the price update of tokenIn. Then the hacker exchanged tokens for 31 million U.S. dollars worth of tokens on the Ethereum and Polygon blockchains.
There is no practical reason to exchange tokens for the same token, so the software that conducts the transaction should not allow such transactions.Alas, it is true, even though MonoX received Three security audits This year.
Pitfalls of smart contracts
“This type of attack is very common in smart contracts, because many developers don’t spend a lot of effort to define security attributes for their code,” the security consulting firm Trail of Bit. “They conducted an audit, but if the audit only shows that smart people viewed the code within a given period of time, then the value of the result is very limited. Smart contracts need testable evidence to prove that they acted according to your wishes, and only Do what you want. This means defined security attributes and the technology used to evaluate them.”
Guido continued:
Most software requires vulnerability mitigation. We actively look for vulnerabilities, admit that they may be insecure when used, and build systems to detect when they are exploited. Smart contracts need to eliminate loopholes. Software verification technology is widely used to provide provable guarantees for contracts to work as expected. When developers adopt the former security method instead of the latter, most of the security issues in smart contracts will arise. There are many large, complex, and high-value smart contracts and agreements that avoid accidents, and many are used immediately after release.
Blockchain researcher Igor Igamberdiev Go to twitter Decompose the composition of the discharged token. Tokens include Wrapped Ethereum at $18.2 million, MATIC token at $10.5, and WBTC worth $2 million. The shipment also includes a small number of tokens for Wrapped Bitcoin, Chainlink, Unit Protocol, Aavegotchi and Immutable X.
Only the latest DeFi hackers
MonoX is not the only decentralized financial protocol that has become the victim of a multi-million dollar hacker attack. In October, Index Finance Said It lost approximately $16 million in a hack that used its method of rebalancing the index pool. Earlier this month, blockchain analytics company Elliptic Said So far, the so-called DeFi agreement has lost $12 billion due to theft and fraud. The loss in the first 10 months or so of this year reached US$10.5 billion, which is higher than the US$1.5 billion in 2020.
Elliptic’s report states: “The relative immaturity of the underlying technology allows hackers to steal users’ funds, and the deep pool of liquidity enables criminals to clean up criminal proceeds such as ransomware and fraud.” “This is the use of decentralized technology for Part of the broader trend for illegal purposes, Elliptic calls it DeCrime.”
The MonoX post on Wednesday stated that in the past day, team members have taken the following steps:
- Attempt to contact the attacker by submitting a message on the ETH Mainnet to open a conversation
- The contract will be suspended and repairs will be implemented to accept more rigorous testing.After proposing a sufficient compensation plan, we will work hard to lift the suspension after our security partners agree
- Contact large exchanges to monitor and possibly block any wallet addresses related to the attack
- Work with our security consultants to make progress in identifying hackers and how to reduce future risks
- Cross-reference Tornado Cash wallet interaction with wallets that also use our platform
- Search any metadata left by the interaction between the front end and our Dapp
- According to their interaction with our product, the detailed and mapped wallet address can be regarded as “suspicious”.For example, removing a lot of liquidity before exploiting
- Continuously monitor the wallet with funds. So far, 100 ETH has been sent to Tornado Cash from the stolen funds.The rest is still there
- In addition, we will submit an official police report
The post stated that MonoX Finance has insurance to cover losses worth $1 million, and that the company is now “distributing.”
