Wednesday, December 8, 2021

PAID Network exploiter nets $3 million in infinite mint attack


Related articles

Paid Community, a DeFi platform aimed toward real-world companies, has been exploited right this moment in an “infinite mint” assault that has despatched PAID token costs plunging upwards of 85%.

Whereas the exploit netted almost $180 million in PAID tokens on the time of the assault — what would have comfortably been the most important exploit of a DeFi protocol — the hacker’s payday will find yourself being far much less. One observer famous that the attacker’s wallet solely transformed a few of their tokens to wrapped ether, leaving the remaining in rapidly-devaluing PAID tokens: 

The attacker’s pockets nonetheless has over 57 million PAID tokens value $37 million. 

The exploit is conceptually much like an assault on insurance coverage protocol Cowl that befell in late December final 12 months. In that occasion, the crew took a “snapshot” of holders prior to the attack and issued a brand new token, returning the provision of the token to pre-exploit ranges.

The crew confirmed on Twitter that they’re presently planning for a snapshot and restoration:

Nevertheless, token holders anxious for a decision could also be out of luck. Some in the neighborhood are speculating that the assault on PAID wasn’t an exploit in any respect, but instead a “rugpull” — a colloquial time period for an insider designing contracts to particularly make them exploitable and swiping person funds. 

Nick Chong of Parafi Capital famous on Twitter that Paid’s deployer contract, an externally managed account, transferred possession of the deployer to the attacker shortly earlier than the mint, indicating {that a} member of the crew both rugpulled, or errantly allowed the assault to happen with a safety lapse:

Moreover, a DeFi danger evaluation account @WARONRUGS warned of precisely this exploit in late January, noting that the contract proprietor can mint PAID tokens at any time:

An on-chain notice despatched to the attacker has ominously warned that “the LAPD will keep up a correspondence with Kyle Chasse very shortly.” Kyle Chasse is the CEO of Paid Community.

Paid Community didn’t reply to a request for remark by the point of publication.