Blockchain startup MonoX Finance said Wednesday that hackers stole $ 31 million by exploiting a bug in the software used to draft smart contracts.
The company uses a decentralized financial protocol called MonoX, which allows users to trade digital currency tokens without using some of the requirements of traditional exchanges. “Project owners can focus on listing tokens without the burden of capital requirements and spending money on building the project instead of providing liquidity,” said a representative of the MonoX company. Says. Say here.. “This works by grouping the deposited tokens into a virtual pair with vCASH, providing a single token pool design.”
An accounting error built into the company’s software allowed an attacker to soar the price of MONO tokens and use them to monetize all other deposited tokens, MonoX Finance. Revealed in the post.. Carries amount to $ 31 million worth of tokens on the Ethereum or Polygon blockchain, both supported by the MonoX protocol.
Specifically, the hack used the same tokens for both tokenIn and tokenOut. These are methods for exchanging the value of one token for another. MonoX updates the price after each swap by calculating the new price for both tokens. When the swap is complete, the price of tokenIn (that is, the token sent by the user) goes down and the price of tokenOut (the token received by the user) goes up.
Hackers have significantly increased the price of MONO tokens because the tokenOut update overwrote the tokenIn price update by using the same token for both tokenIn and tokenOut. Hackers then exchanged tokens for $ 31 million worth of tokens on the Ethereum and Polygon blockchains.
There is no practical reason to exchange a token for the same token. Therefore, the software that makes the transaction should not have allowed such a transaction.Alas, even though MonoX received it, I did. Three security audits This year.
Pit of smart contract
“This kind of attack is common in smart contracts, because many developers aren’t prepared to define security properties for their code,” said the security of smart contracts as hacked here. Expert and security consultant Trailof CEO Dan Guido said. bit. “They have been audited, but the value of the results is limited if the audit only states that a wise person saw the code for a specific period of time. Smart contracts do what you intended. And you need verifiable evidence that you only do what you intended. This means the defined security properties and the techniques adopted to evaluate them. “
Most software needs to mitigate vulnerabilities. We will actively search for vulnerabilities, recognize that they may not be safe during use, and build a system that detects when they are exploited. Smart contracts need to eliminate vulnerabilities. Software verification techniques are widely used to provide guarantees that can prove that a contract works as intended. Most smart contract security issues arise when developers adopt the former security approach rather than the latter. There are many large, complex and highly valuable smart contracts and protocols that avoid incidents, some of which are immediately exploited at startup.
Blockchain researcher Igor Igamberdiev I took you to Twitter Decompose the composition of the ejected tokens. The tokens included $ 18.2 million of wrapped Ethereum, $ 10.5 of MATIC tokens, and $ 2 million of WBTC. The haul also included a small amount of wrapped Bitcoin, chainlinks, unit protocols, Aavegotchi, and Immutable X.
Only the latest DeFi hack
MonoX isn’t the only victim of millions of dollars in hacking. October, indexed finance Said I lost about $ 16 million in a hacking that abused how to rebalance the index pool. Earlier this month, blockchain analytics company Elliptic Said The so-called DeFi protocol has lost $ 12 billion so far due to theft and fraud. Losses in the first 10 months of the year reached $ 10.5 billion, up from $ 1.5 billion in 2020.
“The relatively immature underlying technology allows hackers to steal user funds, and the liquid pool allows criminals to launder criminal proceeds such as ransomware and fraud. “It was,” said the Elliptic report. “This is part of a broader trend in the use of distributed technology for illegal purposes, which Elliptic calls DeCrime.”
According to a MonoX post on Wednesday, team members have performed the following steps over the past day:
- Attempted to contact and initiate dialogue with an attacker by sending a message via a transaction on ETH Mainnet
- Suspend the contract and implement a fix to get more rigorous testing.After coming up with the right compensation plan, the security partner will give you an OK and then work to unpause.
- Contacted a large exchange to monitor the wallet address associated with the attack and in some cases stopped it
- Worked with security advisors to advance ways to identify hackers and mitigate future risks
- Interaction between cross-referenced tornado cash wallets and wallets also using our platform
- Searched for metadata left by front-end interaction with Dapp
- A wallet address mapped in detail that may be considered “suspicious” based on its interaction with our products.For example, remove a large amount of liquidity before the exploit
- Continuous monitoring of the wallet with funding. So far, 100 ETH has been sent to the tornado cash from the stolen funds.The rest are still there
- In addition, submit a formal police report
According to the post, MonoX Finance has insurance that covers a loss worth $ 1 million, and the company is currently “working on distribution.”