Really stupid “smart contract” bug let hackers steal $31 million in digital coin

MonoX Finance, a blockchain business, announced on Wednesday that a hacker stole $31 million by exploiting a flaw in the software it uses to generate smart contracts.

The startup employs the MonoX decentralized finance system, which allows users to trade digital currency tokens without some of the restrictions that traditional exchanges impose. “Product owners may sell their tokens without having to worry about financial constraints, allowing them to focus on growing the project rather than providing liquidity,” MonoX reps said. “It operates by combining deposited tokens into a virtual pair with vCASH to create a single token pool.” According to MonoX Finance, an accounting flaw in the company’s software allowed an attacker to inflate the price of the MONO token and then use it to cash out all the other deposited tokens. The haul totaled $31 million in tokens on the Ethereum or Polygon blockchains, both of which the MonoX protocol supports.

The hack specifically used the same token for both the tokenIn and tokenOut functions, which are used to exchange the value of one token for another. After each trade, MonoX calculates new prices for both tokens and updates the pricing. The price of tokenIn—the token provided by the user—decreases when the swap is completed, while the price of tokenOut—the token received by the user—increases. The hacker dramatically inflated the price of the MONO token by using the same token for both tokenIn and tokenOut because the tokenOut price change overwrote the tokenIn price update. On the Ethereum and Polygon blockchains, the hacker then swapped the token for $31 million worth of tokens. Because there is no practical need to exchange a token for another token, the trading program should never have enabled such transactions. Despite MonoX receiving three security audits this year, it did. MonoX isn’t the only decentralized finance technology that’s been hacked for millions of dollars. Indexed Finance announced in October that it had lost nearly $16 million in a breach that targeted the way it rebalances index pools. Elliptic, a blockchain-analysis firm, reported earlier this month that so-called DeFi protocols have lost $12 billion in theft and fraud to date. Losses were $10.5 billion in the first ten months of this year, up from $1.5 billion in 2020.

“Hackers have been able to steal users’ funds due to the relative immaturity of the underlying technology,” according to the Elliptic report, “while criminals have been able to launder proceeds of crime such as ransomware and fraud due to the deep pools of liquidity.” “This is part of a bigger trend, which Elliptic refers to as DeCrime, in which decentralized technology are exploited for criminal reasons.”