Sign up to save your podcasts
Or
Share A software flaw enabled hackers to steal $31 million from a cryptocurrency service
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
A software flaw enabled hackers to steal $31 million from a cryptocurrency service
MonoX Finance, a blockchain startup, announced on Wednesday that a hacker stole $31 million by exploiting a flaw in the software it uses to create smart contracts.
The company utilises the MonoX decentralised finance protocol, which enables users to trade digital currency tokens without complying with certain requirements associated with traditional exchanges. "Without the burden of capital requirements, project owners can list their tokens and focus on developing the project rather than providing liquidity," MonoX company representatives wrote in November. "It operates by grouping deposited tokens into a virtual pair with vCASH, allowing for the creation of a single token pool."
An accounting error in the company's software enabled an attacker to inflate the MONO token's price and then use it to withdraw all other deposited tokens, MonoX Finance revealed in a post. The haul totalled $31 million in Ethereum or Polygon tokens, which are both supported by the MonoX protocol.
The hack specifically utilised the same token for both tokenIn and tokenOut, which are methods for exchanging the value of one token for another. MonoX calculates new prices for both tokens following each swap. When the swap is complete, the price of tokenIn—the token sent by the user—decreases, while the price of tokenOut—the token received by the user—increases.
By using the same token for both tokenIn and tokenOut, the hacker significantly inflated the MONO token's price, as updating the tokenOut overwrote the tokenIn's price update. The hacker then traded the token for $31 million in Ethereum and Polygon tokens.
There is no practical reason to exchange a token for another token, and thus the trading software should never have permitted such transactions. Unfortunately, it did, despite the fact that MonoX underwent three security audits this year.
The Smart Contracts Pitfalls
"These types of attacks are common in smart contracts because many developers fail to define security properties for their code," explained Dan Guido, an expert on securing smart contracts like the one hacked here. "They had audits, but if the audits simply state that a knowledgeable individual examined the code for a specified period of time, the results are of limited value. Smart contracts require testable evidence that they perform exactly as you intend. This includes both defined security properties and techniques for evaluating them."
Guido continued as the CEO of security consultancy Trail of Bits:
The majority of software is vulnerable and requires vulnerability mitigation. We look for vulnerabilities proactively, acknowledge that they may be insecure while being used, and develop systems to detect when they are exploited. Smart contracts necessitate the elimination of vulnerabilities. Software verification techniques are widely used to provide verifiable assurances that contracts function properly. The majority of security issues in smart contracts arise when developers take the former rather than the latter approach to security. Numerous large, complex, and highly valuable smart contracts and protocols have avoided incidents, in addition to the numerous ones that were immediately exploited upon their launch.
Igor Igamberdiev, a blockchain researcher, took to Twitter to explain the composition of the drained tokens. Wrapped Ethereum was worth $18.2 million, MATIC tokens were worth $10.5 million, and WBTC was worth $2 million. Additionally, smaller amounts of Wrapped Bitcoin, Chainlink, Unit Protocol, Aavegotchi, and Immutable X tokens were included in the haul.
Only the Most Up-to-Date DeFi Hack
MonoX is not the only decentralised finance protocol to have been hacked for millions of dollars. Indexed Finance disclosed in October that it had lost approximately $16 million in a hack that took advantage of the way it rebalances index pools. Elliptic, a blockchain analysis company, reported earlier this month that so-called DeFi protocols have lost $12 billion to theft and fraud. Losses reached $10.5 billion in the first roughly ten months of this year, up from $1.5 billion in 2020.
"The relative immaturity of the underlying technology enabled hackers to steal users' funds, while the deep liquidity pools enabled criminals to launder the proceeds of ransomware and fraud," the Elliptic report stated. "This is part of a larger trend towards the illicit use of decentralised technologies, which Elliptic refers to as DeCrime."
Support us!
View all episodes
By Crypto PiratesMonoX Finance, a blockchain startup, announced on Wednesday that a hacker stole $31 million by exploiting a flaw in the software it uses to create smart contracts.
The company utilises the MonoX decentralised finance protocol, which enables users to trade digital currency tokens without complying with certain requirements associated with traditional exchanges. "Without the burden of capital requirements, project owners can list their tokens and focus on developing the project rather than providing liquidity," MonoX company representatives wrote in November. "It operates by grouping deposited tokens into a virtual pair with vCASH, allowing for the creation of a single token pool."
An accounting error in the company's software enabled an attacker to inflate the MONO token's price and then use it to withdraw all other deposited tokens, MonoX Finance revealed in a post. The haul totalled $31 million in Ethereum or Polygon tokens, which are both supported by the MonoX protocol.
The hack specifically utilised the same token for both tokenIn and tokenOut, which are methods for exchanging the value of one token for another. MonoX calculates new prices for both tokens following each swap. When the swap is complete, the price of tokenIn—the token sent by the user—decreases, while the price of tokenOut—the token received by the user—increases.
By using the same token for both tokenIn and tokenOut, the hacker significantly inflated the MONO token's price, as updating the tokenOut overwrote the tokenIn's price update. The hacker then traded the token for $31 million in Ethereum and Polygon tokens.
There is no practical reason to exchange a token for another token, and thus the trading software should never have permitted such transactions. Unfortunately, it did, despite the fact that MonoX underwent three security audits this year.
The Smart Contracts Pitfalls
"These types of attacks are common in smart contracts because many developers fail to define security properties for their code," explained Dan Guido, an expert on securing smart contracts like the one hacked here. "They had audits, but if the audits simply state that a knowledgeable individual examined the code for a specified period of time, the results are of limited value. Smart contracts require testable evidence that they perform exactly as you intend. This includes both defined security properties and techniques for evaluating them."
Guido continued as the CEO of security consultancy Trail of Bits:
The majority of software is vulnerable and requires vulnerability mitigation. We look for vulnerabilities proactively, acknowledge that they may be insecure while being used, and develop systems to detect when they are exploited. Smart contracts necessitate the elimination of vulnerabilities. Software verification techniques are widely used to provide verifiable assurances that contracts function properly. The majority of security issues in smart contracts arise when developers take the former rather than the latter approach to security. Numerous large, complex, and highly valuable smart contracts and protocols have avoided incidents, in addition to the numerous ones that were immediately exploited upon their launch.
Igor Igamberdiev, a blockchain researcher, took to Twitter to explain the composition of the drained tokens. Wrapped Ethereum was worth $18.2 million, MATIC tokens were worth $10.5 million, and WBTC was worth $2 million. Additionally, smaller amounts of Wrapped Bitcoin, Chainlink, Unit Protocol, Aavegotchi, and Immutable X tokens were included in the haul.
Only the Most Up-to-Date DeFi Hack
MonoX is not the only decentralised finance protocol to have been hacked for millions of dollars. Indexed Finance disclosed in October that it had lost approximately $16 million in a hack that took advantage of the way it rebalances index pools. Elliptic, a blockchain analysis company, reported earlier this month that so-called DeFi protocols have lost $12 billion to theft and fraud. Losses reached $10.5 billion in the first roughly ten months of this year, up from $1.5 billion in 2020.
"The relative immaturity of the underlying technology enabled hackers to steal users' funds, while the deep liquidity pools enabled criminals to launder the proceeds of ransomware and fraud," the Elliptic report stated. "This is part of a larger trend towards the illicit use of decentralised technologies, which Elliptic refers to as DeCrime."
Support us!