Blockchain Startup MonoX Finance said Wednesday that a hacker took advantage of a bug in software to steal $31 million that the service uses to draft smart contracts.
The company uses a decentralized finance protocol called MonoX that lets users trade digital currency tokens without some of the requirements of traditional exchanges. “Project owners can list their tokens without the burden of capital requirements and can focus on using the funds to build the project,” said a representative from the MonoX company. wrote in november, “It works by grouping deposited tokens into a virtual pair with vCASH to offer a single token pool design.”
An accounting error built into the company’s software allowed an attacker to inflate the price of the Mono token and then use it to cash out all other deposited tokens, MonoX Finance. disclosed in the post, The token was valued at $31 million on the Ethereum or Polygon blockchain, both of which are backed by the MonoX protocol.
Notably, the hack used tokens similar to both TokenIn and TokenOut, which are methods of exchanging the value of one token for another. MonoX updates the prices after each swap by calculating the new prices for both tokens. When the swap is complete, the price of Tokens-In—that is, the tokens sent by the user—decrease and the price of TokenOut—or the tokens received by the user, increases.
By using the same token for both TokenIn and TokenOut, the hacker greatly inflated the price of the MONO token because the update to TokenOut overwritten the price update for TokenIn. The hackers then exchanged tokens for $31 million worth of tokens on the Ethereum and Polygon blockchains.
There is no practical reason to exchange tokens for the same token, and therefore the software that conducts trades should never allow such transactions. I wish this happened despite getting MonoX three security audits this year.
“Attacks like this are common in smart contracts, because many developers don’t do the legwork to define security properties for their code,” said Dan Guido, an expert in security for hacked smart contracts here. “They had audits, but if the audits only reveal that a smart person looks at the code for a certain period of time, the results are of limited value. Smart contracts require testable proof that they do the same. Do what you want and only do what you want. This means defined security properties and the techniques employed to evaluate them.”
Guido, CEO of security consultancy Trail of Bits, continued:
Most software requires vulnerability mitigation. We actively look for vulnerabilities, acknowledge that they may be vulnerable when using them, and build systems to detect when they are exploited. Smart contracts require vulnerability elimination. Software verification techniques are widely used to provide verifiable assurance that contracts work as intended. Most security issues in smart contracts arise when developers adopt the former security approach rather than the latter. There are many smart contracts and protocols that are large, complex and highly valuable that survive incidents, as well as many that have been exploited immediately upon their launch.
Blockchain researcher Igor Igmberdiev took to twitter To break up the makeup of the dry token. The tokens included $18.2 million worth of wrapped Ethereum, $10.5 million in MATIC tokens, and $2 million worth of WBTC. The race also included small amounts of tokens for Wrapped Bitcoin, Chainlink, Unit Protocol, Avgotchi and Immutable X.
MonoX isn’t the only decentralized finance protocol to fall victim to the multimillion-dollar hack. In October, Indexed Finance said It lost approximately $16 million in a hack that exploited the way the index pool was rebalanced. Earlier this month, blockchain-analysis company Elliptic said The so-called DeFi protocol has lost $12 billion due to theft and fraud. The deficit jumped to $10.5 billion in the first nearly 10 months of this year, up from $1.5 billion in 2020.
“The relative immaturity of the underlying technology has allowed hackers to steal users’ funds, while the deep pool of liquidity has allowed criminals to launder the proceeds of crime such as ransomware and fraud,” the Elliptic report said. “This is part of a broader trend in the exploitation of decentralized technologies for illicit purposes, which Elliptic refers to as the Decreme.”
Wednesday’s MonoX post stated that, in the past, team members took the following steps:
- Attempted to contact attacker to open a dialog by submitting a message via transaction on ETH Mainnet
- The contract has been put on hold and will apply a reform to undergo more rigorous testing. After coming up with an adequate compensation plan, we will work on stopping after our security partners give an OK
- Contacted major exchanges to monitor and possibly prevent any wallet addresses associated with the attack
- Collaborating with our security advisors to identify hackers and make progress in mitigating future risks
- Cross-reference Tornado Cash wallet interaction with wallets that use our platform
- Our Dapp. Discovered any metadata left behind by Front End interactions with
- Detailed and mapped wallet addresses that may be considered “suspicious” based on their interactions with our product. For example, removing large amounts of liquidity prior to exploitation
- Constant monitoring of wallet with funds. So far 100 ETH has been sent to Tornado Cash from the stolen funds. The rest is still there.
- Additionally, we will file a formal police report.
The post said that MonoX Finance has insurance that will cover $1 million worth of damages and that the company is now “working on a distribution.”
This story originally appeared on Ars Technica,
- The latest on tech, science and more: Receive our newsletter!
- At the end of the world, it’s hyperobjects all the way down
- Cars are going electric. What happens to used batteries?
- Finally, a practical use for nuclear fusion
- The Metaverse Is Just Big Tech, But Big
- Analog gifts for those who need a digital detox
- ️ Explore AI like never before with our new database
- Upgrade your work game with our Gear team’s favorite laptop, keyboard, typing options, and noise-canceling headphones