Blockchain startup MonoX Finance said on Wednesday that a hacker had stolen $31 million by exploiting a vulnerability in the service’s software used to draft smart contracts.
The company uses a decentralized financial protocol called MonoX that allows users to make transactions Digital currency Tokens do not have some requirements of traditional exchanges. “Project owners can list their tokens without a capital requirement and focus on using the funds to build the project instead of providing liquidity,” a representative of MonoX Written in november“Its working principle is to combine the deposited tokens and vCASH into a virtual pair to provide a single token pool design.”
Accounting errors built into the company’s software allowed attackers to inflate the price of MONO tokens and then use it to cash out all other deposited tokens, MonoX Finance Revealed in the post. Carrying USD 31 million worth of tokens Ethereum Or polygon Blockchain, Both are supported by the MonoX protocol.
Specifically, the hacker used the same tokens as tokenIn and tokenOut, which are methods of exchanging the value of one token for another token. MonoX updates the price after each exchange by calculating the new price of the two tokens. After the exchange is completed, the price of tokenIn—that is, the token sent by the user—decreases, and the price of tokenOut—or the token received by the user—increases.
By using the same token for tokenIn and tokenOut, hacker The price of MONO tokens has been greatly increased, because the update of tokenOut covers the price update of tokenIn. Then the hacker exchanged tokens for 31 million U.S. dollars worth of tokens on the Ethereum and Polygon blockchains.
There is no practical reason to exchange tokens for the same token, so the software that conducts the transaction should not allow such transactions.Alas, it is true, even though MonoX received Three security audits This year.
Pitfalls of smart contracts
“These types of attacks are common in smart contracts because many developers do not define security properties for their code,” said Dan Guido, an expert in smart contract security, just like the hacked people here. “They conducted an audit, but if the audit only shows that smart people viewed the code within a given period of time, then the value of the result is very limited. Smart contracts need testable evidence that they are in accordance with your intentions and only in accordance with you The intent to execute. This means defining the security attributes and the technology used to evaluate them.”
Guido, CEO of the security consulting company Trail of Bits, continued:
Most software requires vulnerability mitigation. We actively look for vulnerabilities, admit that they may be insecure when used, and build systems to detect when they are exploited. Smart contracts need to eliminate loopholes. Software verification technology is widely used to provide provable guarantees for contracts to work as expected. When developers adopt the former security method instead of the latter, most of the security issues in smart contracts will arise. There are many large, complex, and high-value smart contracts and agreements that avoid accidents, and many are used immediately after release.
Blockchain researcher Igor Igamberdiev Go to twitter Decompose the composition of the discharged token. Tokens include Wrapped Ethereum at $18.2 million, MATIC token at $10.5, and WBTC worth $2 million. The shipment also includes a small number of tokens for Wrapped Bitcoin, Chainlink, Unit Protocol, Aavegotchi and Immutable X.
Only the latest DeFi hackers
MonoX is not the only decentralized financial protocol that has become the victim of a multi-million dollar hacker attack. In October, Index Finance Said It lost approximately $16 million in a hack that used its method of rebalancing the index pool. Earlier this month, blockchain analytics company Elliptic Said As a result of theft and fraud, the so-called DeFi protocol has lost $12 billion. The loss in the first 10 months or so of this year reached US$10.5 billion, which is higher than the US$1.5 billion in 2020.
Elliptic’s report stated: “The relative immaturity of the underlying technology allows hackers to steal users’ funds, and the deep pool of liquidity enables criminals to clean up criminal proceeds such as ransomware and fraud.” “This is the use of decentralized technology for Part of the broader trend for illegal purposes, Elliptic calls it DeCrime.”