Really stupid “smart contract” vulnerability allowed hackers to steal $31 million in digital coins

Read Time:4 Minute, 45 Second

A close-up photo of the touch screen manually.

Blockchain startup MonoX Finance said on Wednesday that a hacker stole $31 million by exploiting a software bug in the service used to draft smart contracts.

The company uses a decentralized financial protocol called MonoX, which allows users to trade digital currency tokens without some of the requirements of traditional exchanges. “Project owners can list their tokens without capital requirements and focus on using funds to build projects instead of providing liquidity,” MonoX company representative said here. “It works by combining the deposited tokens and vCASH into a virtual pair to provide a single token pool design.”

MonoX Finance revealed in a post that accounting errors built into the company’s software allowed attackers to inflate the price of MONO tokens and then use it to cash out all other deposited tokens. The total value of tokens on the Ethereum or Polygon blockchain is $31 million, both of which are supported by the MonoX protocol.

Specifically, the hacker used the same tokens as tokenIn and tokenOut, which are methods of exchanging the value of one token for another token. MonoX updates the price after each exchange by calculating the new price of the two tokens. After the exchange is completed, the price of tokenIn—that is, the token sent by the user—decreases, and the price of tokenOut—or the token received by the user—increases.

By using the same token for tokenIn and tokenOut, hackers greatly exaggerated the price of MONO tokens because the update of tokenOut covers the price update of tokenIn. Then the hacker exchanged tokens for 31 million U.S. dollars worth of tokens on the Ethereum and Polygon blockchains.

There is no practical reason to exchange tokens for the same token, so the software that conducts the transaction should not allow such transactions. Alas, even though MonoX has undergone three security audits this year, it is true.

Pitfalls of smart contracts

“This type of attack is very common in smart contracts, because many developers don’t put a lot of effort into defining security attributes for their code,” such as the hacked smart contract security expert Dan Guido (Dan Guido). “They conducted an audit, but if the audit only shows that smart people viewed the code within a given period of time, then the value of the result is very limited. Smart contracts need testable evidence to prove that they acted according to your wishes, and only Do what you want. This means defined security attributes and the technology used to evaluate them.”

Guido, CEO of the security consulting company Trail of Bits, continued:

Most software requires vulnerability mitigation. We actively look for vulnerabilities, admit that they may be insecure when used, and build systems to detect when they are exploited. Smart contracts need to eliminate loopholes. Software verification technology is widely used to provide provable guarantees for contracts to work as expected. When developers adopt the former security method instead of the latter, most of the security issues in smart contracts will arise. There are many large, complex and high-value smart contracts and agreements that avoid accidents, and many are used immediately after release.

Blockchain researcher Igor Igamberdiev Go to twitter Decompose the composition of the discharged token. Tokens include Wrapped Ethereum at $18.2 million, MATIC token at $10.5, and WBTC worth $2 million. The shipment also includes a small number of tokens for Wrapped Bitcoin, Chainlink, Unit Protocol, Aavegotchi and Immutable X.

Only the latest DeFi hackers

MonoX is not the only decentralized financial protocol that has become the victim of a multi-million dollar hacker attack. In October, Indexed Finance stated that it lost approximately US$16 million in a hack using its method of rebalancing the index pool. Earlier this month, blockchain analysis company Elliptic stated that so far, the so-called DeFi protocol has lost $12 billion due to theft and fraud. The loss in the first 10 months or so of this year reached US$10.5 billion, which is higher than the US$1.5 billion in 2020.

Elliptic’s report stated: “The relative immaturity of the underlying technology allows hackers to steal users’ funds, and the deep pool of liquidity enables criminals to clean up criminal proceeds such as ransomware and fraud.” “This is the use of decentralized technology for Part of the broader trend for illegal purposes, Elliptic calls it DeCrime.”

The MonoX post on Wednesday stated that in the past day, team members have taken the following steps:

  • Attempt to contact the attacker by submitting a message on the ETH Mainnet to open a conversation
  • The contract will be suspended and repairs will be implemented to accept more rigorous testing.After proposing a sufficient compensation plan, we will work hard to lift the suspension after our security partners agree
  • Contact large exchanges to monitor and possibly block any wallet addresses related to the attack
  • Work with our security consultants to make progress in identifying hackers and how to reduce future risks
  • Cross-reference Tornado Cash wallet interaction with wallets that also use our platform
  • Search any metadata left by the interaction between the front end and our Dapp
  • According to their interaction with our product, the detailed and mapped wallet address can be regarded as “suspicious”.For example, removing large amounts of liquidity before exploiting
  • Use funds to continuously monitor the wallet. So far, 100 ETH has been sent to Tornado Cash from the stolen funds. The rest are still there.
  • In addition, we will submit an official police report.

The post stated that MonoX Finance has insurance to cover losses worth $1 million, and that the company is now “distributing.”

go to see more here in tech news

0 %
0 %
0 %
0 %
0 %
0 %
We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners. View more
Cookies settings
Privacy & Cookie policy
Privacy & Cookies policy
Cookie name Active

Who we are

Suggested text: Our website address is:


Suggested text: When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection. An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: After approval of your comment, your profile picture is visible to the public in the context of your comment.


Suggested text: If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.


Suggested text: If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year. If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser. When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select "Remember Me", your login will persist for two weeks. If you log out of your account, the login cookies will be removed. If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.

Embedded content from other websites

Suggested text: Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website. These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.

Who we share your data with

Suggested text: If you request a password reset, your IP address will be included in the reset email.

How long we retain your data

Suggested text: If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue. For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

What rights you have over your data

Suggested text: If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

Where we send your data

Suggested text: Visitor comments may be checked through an automated spam detection service.
Save settings
Cookies settings