Bug Software Let Destroyer Spend $ 31M From Crypto Service


Introduction to Blockchain MonoX Finance reported Wednesday that the thief stole $ 31 million by misappropriating software that the company uses to create smart contracts.

The company uses a financial system known as MonoX that allows users to sell digital currency symbols without other necessary cultural exchanges. “Project owners are able to write their signals without being overwhelmed by the big requirements and focus on spending on building the project instead of donating money,” representatives of the MonoX company said. wrote in November. “It works by combining the tags placed in two groups with vCASH, to provide a single pool design.”

An accounting error created in the company program allows the attacker to raise the price of the MONO token and use it to return all other tokens, MonoX Finance. revealed in the post. The total cost was $ 31 million Ethereum or Polygon blockchains, all supported by the MonoX protocol.

In particular, the hack used a token similar to tokenIn and tokenOut, which are ways to change the value of each token. MonoX changes prices on any exchange by calculating the new prices for both tokens. When the exchange is completed, the value of tokenIn — that is, the user-sent token – decreases and the tokenOut price — or the user-received token — rises.

Using the same token on tokenIn and tokenOut, the destroyer significantly increased the value of the MONO token because the tokenOut exchange changed the tokenIn value. The attacker exchanged the $ 31 million sign on Ethereum and Polygon blockchains.

There is no need to support the exchange of the same brand, so software that does business should not allow such events. Unfortunately, it did, even though MonoX received it triple security monitoring this year.

Disadvantages of Smart Contracts

“Such threats are common to smart contractors, because most manufacturers do not set a security code in their code,” said Dan Guido, an expert on smart contracts like the one who was robbed here. “They had audits, but if the research only says that a smart person sees the system for a given period, then the results are valuable. Wise contracts require conclusive evidence that they do what you want and what you want. in light. ”

The head of the Trail of Bits, Guido added:

Most programs want to reduce the risk. We monitor the complexity, agree that it can be unsafe when used, and design machines to detect when in use. Smart contractors need risk removal. Software verification methods are widely used to provide a guaranteed guarantee that contractors work the way they want. Many of the security features in smart contracts happen when manufacturers adopt an older security method, rather than the final one. There are many smart contracts and protocols that are big, complex, and very important that avoid incidents, including many that were used immediately at startup.

Blockchain researcher Igor Igamberdiev went on Twitter to destroy the formation of degenerative signals. Tokens included $ 18.2 million in Round Ethereum, $ 10.5 in MATIC tokens, and $ 2 million in WBTC. The shipment also included Wrapped Bitcoin, Chainlink, Unit Protocol, Aavegotchi, and Immutable X small tokens.

Only Latest DeFi Hack

MonoX is not the only financial system that can be affected by the multi-million dollar fraud. In October, Indexed Finance he said lost about $ 16 million in fraud that used a method to change index rates. Earlier this month, blockchain-analysis company Elliptic he said so-called DeFi protocols have lost $ 12 billion due to fraud and corruption. Losses in about 10 months of this year reached $ 10.5 billion, up from $ 1.5 billion by 2020.

“Technological malpractice has led terrorists to extort money from consumers, while economic instability has led terrorists to spend money on criminal activities such as ransom and fraud,” the Elliptic report said. “This is one of the many technological advances that are substituted for the non-compliant ones, which the Elliptic calls DeCrime.”





Source link

Leave a Reply

Your email address will not be published.