Blockchain start-up MonoX Finance on Wednesday confirmed that a hacker has stolen $31 million of digital tokens by exploiting a vulnerability in the software service it uses to write smart contracts.
According to MonoX, a decentralized finance (DeFi) protocol that allows users to provide liquidity with single assets on Ethereum (ETH) and Polygon, said that the exploit was caused by a smart contract bug that allows the sold and bought token to be the same.
In the case of the attack, it was the native MONO token. The hacker used the same token as both the tokenIn (token sent by the user) and tokenOut (token received by the user), which are methods of exchanging the value of one token for another.
After each swap, MonoX updates prices by calculating new prices for both tokens. When the swap is completed, the price of tokenIn decreases and the price of tokenOut increases.
When a swap was taking place, the hacker greatly appreciated the price of the MONO token by using the same token for both tokenIn and tokenOut. The attacker then used the highly priced MONO to purchase all the other assets from the pool and drained the funds.
However, the software that conducts trades should never have allowed such transactions, exchanging a token for the same token.
In the past, MonoX was audited by two smart contract auditors – Peckshield and Halborn. But, neither of them were able to identify the vulnerability the hacker used to remove the protocol’s smart contracts.
The MonoX team released the below statement confirming what steps it has taken in the past 24 hours following the hack:
- Tried to make contact with the attacker to open a dialog through submitting a message via transaction on ETH Mainnet
- Paused the contract and will implement a fix to undergo more rigorous testing. After coming up with an adequate compensation plan we will work on unpausing after our security partners have given the OK
- Contacted large exchanges to monitor and possibly stop any wallet address linked to the attack
- Collaborating with our security advisors to make progress in identifying the hacker and how to mitigate future risk
- Cross-referenced Tornado Cash wallet interactions with wallets that also used our platform
- Searched for any metadata left by front end interactions with our Dapp
- Detailed and mapped wallet addresses that could be considered ‘suspicious’ based on their interaction with our product. For example, removing a large amount of liquidity prior to the exploit
- Ongoing monitoring of the wallet with the funds. So far 100 ETH has been sent to Tornado Cash from the stolen funds. The rest is still there.
- Additionally, we will file a formal police report.
The statement also said MonoX Finance has $1m Insurance from Tidal to cover losses and that the company is now “working on distributions.”
“Please know that fixing the issue is at the forefront of our thoughts, and most importantly how we can restore what was lost by our community. Be on the lookout for a compensation plan in the near future. This also goes without saying, but we won’t even consider redeployment until we’ve been thoroughly audited again,” the MonoX team concluded.
“We know it will take time for the community to trust us again, but the team isn’t going anywhere and we plan to still build our products to make a difference for DeFi capital efficiency. We know and accept what is at stake here. We will make this right”