For several weeks now, users have been migrating en masse from Ethereum and the Binance Smart Chain to Polygon, the new DeFi El Dorado. Unfortunately, malicious hackers are doing the same and attacks are increasing there.
A first attack on Polygon
On June 20, the DeFi SafeDollar protocol teams warned their users that an attack had been carried out against one of its smart contracts.
Without going into details, the attacker conducted a so-called reentrancy attack against the IDO smart contract of the SDS token. In total, the attacker was able to withdraw 9,959.26 SDS which were subsequently sold for 95,392 USDC after being repatriated to Ethereum.
Eventually, the funds were repaid by the protocol teams using $100,000 from the development fund.
Never one… without two!
As a news never comes alone, the protocol was the target of a second attack on Monday, June 28.
According to the information reported by the media Rekt, the attacker took advantage of a bug in the calculation of the protocol’s reward mechanism, allowing him to claim a large amount of SDO tokens for each deposit on the protocol.
In practice, the attack was carried out via the PLX token, which is supposed to charge a fee for each transfer. However, instead of being deducted on the user side, these were deducted from the reward balance.
“A deposit/withdrawal loop allowed the hacker to gradually deplete the pool’s PLX balance over the course of 101 transactions, resulting in a massively inflated accSdoPerShare of 1,142,913,215,739,484,400 SDOs offered for each PLX deposited. “Rekt’s publication
In total, this allowed him to recover an astronomical amount of SDOs, allowing him to subsequently withdraw 202,000 USDDC and 46,000 USDT from the protocol, for a total of $248,000.
Unsurprisingly, this attack caused the SafeDollar price to drop to 0… even though it is supposed to be a stablecoin.
One more attack for the DeFi ecosystem, coming just a week after Visor Finance’s attack on Ethereum. Once again, this event calls into question the security of DeFi protocols and the rigor of its developers.