10 Mar 2021 Anthony Lehrman
DODO Exchange Suffered $3.8 Million Crowdpool Attacks
DODO, a decentralized exchange (DEX), suffered from a $3.8 million worth hack attack on March 9. The attack affected several of DODO’s V2 liquidity crowdpools, with the exchange underlining the root cause of the hack in a post mortem examination.
In the post mortem note, DODO explained that the crowdpooling smart contract was flawed, allowing the attackers to “call a function” several times. The attackers were able to create counterfeit tokens and initialize the smart contract by calling the bugged function [init ()].
While the first function takes place, the attacker calls a “reverse” variable, which adjusts the token balance to zero. Then the init () function is called again, this time to interact with a “real” token. The chain of actions sets a flash loan execution, which transfers the real tokens out of the pools.
Initially, the DODO team announced that $1.89 million of all stolen funds have been restored, but recent announcements bumped the recovered assets to $3.1 million. Further investigation showed that the attack was conducted by three entities, two of which were trading bots.
The trading bots, however, already returned the amount, with only $700,000 left to be returned. $200,000 of the remaining funds are frozen on centralized exchanges, while the $500,000 remaining would be returned at the expense of the DODO team.
DODO further explained that the funds from the liquidity pools are going to be returned to their owners in the next 24 hours.
DODO also started a new audit of their smart contracts, which would be conducted by Beosin. The crowdpooling functionalities are expected to be resumed within a week.
Meanwhile, Rekt Blog conducted an independent attack analysis, noting that $3.8 million is a “relatively small amount” for an actual hack attack.
“It’s likely that the color of the [hacker] hat changes according to the sums of money that are available. Small sum = white hat for clout – Big sum = take it and add it to the other millions,” Rekt Blog noted.
Meanwhile, DODO’s native token didn’t experience much of a drop and escaped the situation relatively unharmed, consolidating around the $4 mark over the past couple of days. Despite a slight peak of $4.26 on March 10, DODO’s price dropped by 6% to $3.84. However, DODO is far from its all-time high of $8, which happened after launching liquidity farming on Binance in late February.Cryptocurrency Exchanges News exchange token tokens decentralization dex decentralized Hacks Decentralized Finance