Exploit: Post Mortem
MONO Family. It’s with a heavy heart that we are writing such an update.
The past 24 hours have been difficult, and we’re simply at a loss for words. No apologies and no amount of words can describe how the team has been feeling since the attack transpired. We started building over a year ago with a mission to make DeFi more accessible to users and projects. We appreciate all the support we have received along the way from friends, partners, investors and our community of users.
Days like yesterday are horrible, there is no sugar coating the harsh reality of a contract being exploited and people losing money. Our supporters put their faith in a new project like us, and yesterday we let them down.
Security has always been very important to us. We conducted a three-month testnet + bug bounty, and conducted 3 audits prior to launch. In these audits, anything marked as high risk was immediately addressed. We’re continuing to work with our security partners to better understand what transpired and ensure this doesn’t happen again. We’ve been working with a security firm on an ongoing basis, as our security advisor since May.
First, we wanted to give you a quick breakdown of the addresses that have lost funds and each of these wallets are on top of mind to make right. 406 ETH and 15,523 Polygon addresses have been affected by the hack, and of these addresses, 42 ETH and 2,653 Polygon have been actively LPing in more than just 1 pool.
Roughly $31M was drained from the pool as a result of the hack
How the attack happened
The exploit was caused by a smart contract bug that allows the sold and bought token to be the same. In the case of the attack, it was our native MONO token. When a swap was taking place and tokenIn was the same as tokenOut, the transaction was permitted by the contract.
Any price updates from swap from tokenIn and tokenOut were independently verified by the contract. With tokenOut being verified last, this caused a massive price appreciation of MONO. The attacker then used the highly priced MONO to purchase all the other assets in our pool and drained the funds.
The attack was completed through a script, and was highly organized.
There have also been some reports from the wider DeFi community (unbiased actors). In the spirit of transparency, you can read more detailed information here:
- BlockSec Team: https://twitter.com/BlockSecTeam/status/1465690478414761992
- Mudit Gupta: https://twitter.com/Mudit__Gupta/status/1465726874974187524?s=20
What we have done in the past 24 hours
- Tried to make contact with the attacker to open a dialogue through submitting a message via transaction on ETH Mainnet
- Paused the contract and will implement a fix to undergo more rigorous testing. After coming up with an adequate compensation plan we will work on unpausing after our security partners have given the OK
- Contacted large exchanges to monitor and possibly stop any wallet address linked to the attack
- Collaborating with our security advisors to make progress in identifying the hacker and how to mitigate future risk
- Cross-referenced Tornado Cash wallet interactions with wallets that also used our platform
- Searched for any metadata left by front end interactions with our Dapp
- Detailed and mapped wallet addresses that could be considered ‘suspicious’ based on their interaction with our product. For example, removing a large amount of liquidity prior to the exploit
- Ongoing monitoring of the wallet with the funds. So far 100 ETH has been sent to Tornado Cash from the stolen funds. The rest is still there.
- Additionally, we will file a formal police report.
We would like to remind our users of our $1m Insurance from Tidal, and we are working on distributions.
Please know that fixing the issue is at the forefront of our thoughts, and most importantly how we can restore what was lost by our community. Be on the lookout for a compensation plan in the near future.
This also goes without saying, but we won’t even consider redeployment until we’ve been thoroughly audited again.
We know it will take time for the community to trust us again, but the team isn’t going anywhere and we plan to still build our products to make a difference for DeFi capital efficiency. We know and accept what is at stake here. We will make this right.
This is only the beginning of our story. We will continue to work on MonoX and double down on our security. To our community: Thank you so much for your love and support. This is a setback, but we are more committed than ever to building a bright future for MonoX and the DeFi space.