Exploit: Post Mortem

Published in

MonoX

4 min readDec 1, 2021

MONO Family. It’s with a heavy heart that we are writing such an update.

The past 24 hours have been difficult, and we’re simply at a loss for words. No apologies and no amount of words can describe how the team has been feeling since the attack transpired. We started building over a year ago with a mission to make DeFi more accessible to users and projects. We appreciate all the support we have received along the way from friends, partners, investors and our community of users.

Days like yesterday are horrible, there is no sugar coating the harsh reality of a contract being exploited and people losing money. Our supporters put their faith in a new project like us, and yesterday we let them down.

Security has always been very important to us. We conducted a three-month testnet + bug bounty, and conducted 3 audits prior to launch. In these audits, anything marked as high risk was immediately addressed. We’re continuing to work with our security partners to better understand what transpired and ensure this doesn’t happen again. We’ve been working with a security firm on an ongoing basis, as our security advisor since May.

Metrics

First, we wanted to give you a quick breakdown of the addresses that have lost funds and each of these wallets are on top of mind to make right. 406 ETH and 15,523 Polygon addresses have been affected by the hack, and of these addresses, 42 ETH and 2,653 Polygon have been actively LPing in more than just 1 pool.

Roughly $31M was drained from the pool as a result of the hack

How the attack happened

The exploit was caused by a smart contract bug that allows the sold and bought token to be the same. In the case of the attack, it was our native MONO token. When a swap was taking place and tokenIn was the same as tokenOut, the transaction was permitted by the contract.

Any price updates from swap from tokenIn and tokenOut were independently verified by the contract. With tokenOut being verified last, this caused a massive price appreciation of MONO. The attacker then used the highly priced MONO to purchase all the other assets in our pool and drained the funds.

The attack was completed through a script, and was highly organized.

There have also been some reports from the wider DeFi community (unbiased actors). In the spirit of transparency, you can read more detailed information here:

BlockSec Team: https://twitter.com/BlockSecTeam/status/1465690478414761992
Mudit Gupta: https://twitter.com/Mudit__Gupta/status/1465726874974187524?s=20
Rekt
https://rekt.news/monox-rekt/

What we have done in the past 24 hours

Tried to make contact with the attacker to open a dialogue through submitting a message via transaction on ETH Mainnet
Paused the contract and will implement a fix to undergo more rigorous testing. After coming up with an adequate compensation plan we will work on unpausing after our security partners have given the OK
Contacted large exchanges to monitor and possibly stop any wallet address linked to the attack
Collaborating with our security advisors to make progress in identifying the hacker and how to mitigate future risk
Cross-referenced Tornado Cash wallet interactions with wallets that also used our platform
Searched for any metadata left by front end interactions with our Dapp
Detailed and mapped wallet addresses that could be considered ‘suspicious’ based on their interaction with our product. For example, removing a large amount of liquidity prior to the exploit
Ongoing monitoring of the wallet with the funds. So far 100 ETH has been sent to Tornado Cash from the stolen funds. The rest is still there.
Additionally, we will file a formal police report.

If any of our community members think they can help, please reach out to one of our team members in Discord or Telegram.

Insurance:

We would like to remind our users of our $1m Insurance from Tidal, and we are working on distributions.

Next Steps:

Please know that fixing the issue is at the forefront of our thoughts, and most importantly how we can restore what was lost by our community. Be on the lookout for a compensation plan in the near future.

This also goes without saying, but we won’t even consider redeployment until we’ve been thoroughly audited again.

We know it will take time for the community to trust us again, but the team isn’t going anywhere and we plan to still build our products to make a difference for DeFi capital efficiency. We know and accept what is at stake here. We will make this right.

This is only the beginning of our story. We will continue to work on MonoX and double down on our security. To our community: Thank you so much for your love and support. This is a setback, but we are more committed than ever to building a bright future for MonoX and the DeFi space.

Exploit: Post Mortem

Written by MonoX Team