[ad_1]
Launch the MonoX blockchain Finance said Wednesday that a hacker had stolen $ 31 million using a bug in the software the service uses to draft smart contracts.
The company uses a decentralized financial protocol known as MonoX, which allows consumers to trade digital currency tokens without any of the requirements of traditional exchanges. “Project owners can list their tokens without the burden of capital requirements and focus on using project construction funds instead of providing liquidity,” MonoX wrote in November. “It works by grouping deposited tokens into a virtual pair with vCASH to offer a token pool design.”
An accounting error built into the company’s software allows the attacker to inflate the price of the MONO token and then use it to cash all other deposited tokens, MonoX Finance revealed in a publication. The extraction amounts to $ 31 million tokens in the Ethereum or Polygon blockchain, both supported by the MonoX protocol.
In particular, the hack uses the same token as tokenIn and tokenOut, which are methods of exchanging the value of one token for another. MonoX updates the prices after each exchange, calculating new prices for both tokens. When the exchange is over, the price of the tokenIn – that is, the token sent by the user – decreases, and the price of the tokenOut – or the token received by the user – increases.
By using the same token for both tokenIn and tokenOut, the hacker greatly increased the price of the MONO token, as updating tokenOut replaces updating the price of tokenIn. The hacker then exchanged the token for tokens worth $ 31 million in the blockchains of Ethereum and Polygon.
There is no practical reason to exchange a token for the same token, and therefore transactional software should never allow such transactions. Alas, that was the case, although MonoX received three security audits this year.
The pitfalls of smart contracts
“These types of attacks are common in smart contracts, as many developers make no effort to define security properties for their code,” said Dan Guido, an expert in securing smart contracts like the one hacked here. “They had audits, but if the audits only show that a smart person has been looking at the code for a period of time, then the results are limited. Smart contracts need verifiable evidence that they are doing what you intend and only what you intend. This means certain security features and techniques used to assess them. “
The CEO of the security consulting company Trail of Bits, Guido continued:
Most software requires vulnerability mitigation. We proactively look for vulnerabilities, recognize that they may be insecure while using them, and build detection systems when they are exploited. Smart contracts require the elimination of vulnerabilities. Software verification techniques are widely used to provide verifiable assurances that contracts are working as intended. Most of the security issues in smart contracts arise when developers adopt the first security approach instead of the second. There are many smart contracts and protocols that are large, complex and very valuable that have avoided accidents, along with many that were immediately exploited when they were launched.
Blockchain researcher Igor Igamberdiev directed to Twitter to break the composition of the squeezed tokens. Tokens include $ 18.2 million in Wrapped Ethereum, $ 10.5 million in MATIC tokens and $ 2 million in WBTC. The retrieval also includes smaller tokens for Wrapped Bitcoin, Chainlink, Unit Protocol, Aavegotchi and Immutable X.
Only the latest DeFi hack
MonoX is not the only decentralized financial protocol that has fallen victim to multi-million dollar hacking. In October, Indexed Finance said it lost about $ 16 million in a hack that uses the way it rebalances index pools. Earlier this month, blockchain analysis company Elliptic said so-called DeFi protocols had lost $ 12 billion due to theft and fraud. Losses in the first 10 months of this year reached $ 10.5 billion, compared to $ 1.5 billion in 2020.
“The relative immaturity of the underlying technology has allowed hackers to steal money from consumers, while deep liquidity reserves allow criminals to launder the proceeds of criminal activities such as ransomware and fraud,” the Elliptic report said. “This is part of a broader trend in the exploitation of decentralized technologies for illegal purposes, which Elliptic calls DeCrime.
[ad_2]
Source link