On Mar. 7, PAID Network released a post on Medium with a report on its Mar. 5 exploit.
In the report, PAID founder Kyle Chassé states that the attacker utilized a compromised private key to take advantage of the smart contract upgrade function. “The attacker then proceeded to ‘upgrade’ to a new smart contract which had the ability to burn and re-mint tokens.”
The attacker proceeded to mint 59,471,745.571 PAID tokens and then began to sell them. Over 2.5 million PAID tokens were sold on Uniswap. The hacker gained over 2 million ETH before the team noticed the exploit and took measures.
The PAID team asked token holders to set aside their transactions. Industry experts were called in and the post-mortem began.
PAID will relaunch the token. As for the platform, the team plans upgrades. These include multisignature contracts and improved security and process audits.
The token relaunch works from a snapshot of the token holdings at a moment just before the exploit began. Those tokens will be replaced. However, activity during the exploit is not covered, and the announcement does not go into what will happen to those who bought thinking that they were getting a good deal.
One issue with the PAID Network exploit is that the vulnerability that the hacker used was known. A tweet in January from #WARONRUGS pointed to the lack of multisignature contract control in particular.
Attack of the week
The frequency of attacks shows that hacker sophistication is improving faster than platform defense. On Feb. 27, Furucombo experienced a hack that lost it $15 million. CREAM Finance fell victim on Feb. 13, to the tune of $37.5 million.
Sometimes, the amounts are not huge, at least not to those being scammed. In January, SushiSwap gained unwanted attention for a hack that let a specific trading pair on its platform lose $103,000.
DeFi smart contracts and DEXs still need to secure their operations. Hacker sophistication is real, and any weakness will be exploited. Some hacks really are acts of malign genius, but others, such as the PAID Network event, are merely the result of lax security.