PECO Liquidity Pool Exploit

James Wang

Published in

Amun

2 min readOct 31, 2021

TLDR

On October 30th, there was an exploit on the Wrapped PECO–ETH liquidity pool on SushiSwap.
PECO holders were not affected by this attack. All PECO held by customers is safe.
A total of 30.5 ETH was drained from the liquidity pool. The liquidity pool was seeded wholly by Amun. Only Amun company funds were lost.
We have identified and fixed the vulnerability, and the updated contract has been deployed.
We have re-seeded the Wrapped PECO–ETH liquidity pool to facilitate trading.
The exploit only affected the Wrapped PECO–ETH pool on Ethereum. The PECO–MATIC pool on Polygon was not affected.

What happened?

At 4:54 PM UTC on October 30th there was a liquidity exploit on our ETH — PECO pool on SushiSwap that allowed the exploiter to drain 73.2 ETH out of the pool. No funds in PECO were compromised. The exploiter returned 42.9 ETH to Amun’s deployer contract and leveraged Tornado Cash to walk away with the other 30.5 ETH. The vulnerability which allowed for the exploit was resolved by our team within five hours and the pool has been replenished with new liquidity. Since Amun was the sole liquidity provider, there is no monetary impact on the PECO holders.

What made this possible?

This exploit was made possible by the Burn function in the Wrapped PECO contract being left unprotected (see offending function here). Because of this, the exploiter was able to burn all the tokens in the Sushi Pool which allowed for the successful exploit. The Amun team has updated the contract to prevent this same exploit from occurring again.

Follow Up

We are conducting a comprehensive security review to ensure that there are no other vulnerabilities. For any questions or support, please reach out to us on Telegram or Discord. If you have any information on this exploit or feedback, please let us know.