MonoX Finance, a blockchain startup, announced on Wednesday that a hacker siphoned off $31 million in digital coin by exploiting a bug present in the software the startup uses to draft smart contracts. The company leverages a decentralized finance protocol called MonoX that allows users to trade digital currency tokens without enforcing the same processes as those of traditional exchanges.
MonoX company representatives say that project owners can list their tokens without meeting capital requirements and use the funds for building a project, instead of providing liquidity.
The system works by grouping deposited tokens into a virtual pair with vCASH to create a single token pool design.
The flaw that caused it all
An accounting error built into the company’s software allowed an attacker to inflate the price of the MONO token and then use it to cash out all the other deposited tokens, according to a MonoX Finance in a post.
The heist netted the attacker about $31 million worth of tokens on the Polygon and Ethereum blockchains, both of which are supported by the MonoX protocol.
The hack specifically used the same token as both the tokenin and tokenout (methods for exchanging the value of one token for another.)
The audits that found nothing
There should be no real reason for exchanging a token for the same token. Therefore, the software executed trades that should have never been allowed to make those transactions. It did, despite MonoX’s three security audits conducted this year.
The problem with smart contracts is that they are not well-defined by many developers. Even with the audits, one would need testable evidence to make sure that the smart contracts have clearly defined security properties and techniques used to evaluate them to find flaws.
The heist included tokes from Wrapped Ethereum, MATIC, WBTC with smaller tokens for Wrapped Bitcoin, Chainlink, Unit Protocol, Aavegotchi, and Immutable X.