The DODO decentralized exchange (DEX) has carried out a post mortem on the attack which resulted in as much as $3.8 million being drained.
BeInCrypto broke the news on March 9 that the DODO DEX had come under attack and a number of its liquidity pools were drained. At the time, $2.1 million was suspected to have been drained from several DODO v2 crowdpools. However, the post mortem carried out by the team suggests it could be more.
DODO explained in the post mortem that the v2 crowdpooling smart contract had a bug allowing a function to be called multiple times. This means that an exploiter can perform an attack by creating a counterfeit token and initializing the smart contract with it by calling the function in question [init()].
The attacker calls another function and sets the “reserve” variable, which represents the token balance, to zero. The init() function is used again to re-initialize with a “real” token. This allows the execution of a flash loan to transfer all the real tokens from the pools.
Some DODO Funds Returned
DODO stated that it had managed to recover $1.89 million and that the team is in the process of returning these funds to the affected parties. That leaves around $1.91 million stolen in the attack.
Allegedly, two individuals participated in the exploit. The second had “all the hallmarks of a frontrunning bot”. The first individual has already contacted DODO and offered to send back the funds removed from pools.
The exploits didn’t affect trading and wallet addresses that had DODO approvals are also unaffected.
Rekt Blog also ran an analysis on the attack. It stated that $2 million is a relatively small sum for an anonymous actor to take. Referring to the nature of hackers (black hats vs white) it added;
“It’s likely that the colour of the hat changes according to the sums of money that are available. Small sum = white hat for clout – Big sum = take it and add it to the other millions.”
DODO Token Price Update
DODO’s native token survived the incident relatively unscathed trading flat around $4 over the past couple of days. It had a short spike to $4.26 during the morning of March 10 but quickly started to fall back. It is currently registering a 6% fall on the day to $3.84.
DODO hit an all-time high of $8 following the launch of liquidity farming on Binance in late February.
The total value locked on the DEX is currently $39 million. This is up marginally from yesterday’s levels but down 29% from before the exploit.