MonoX, a decentralized finance (DeFi) protocol that offers single token pools, has been drained of an estimated $30 million. An alleged hacker exploited a smart contract bug in MonoX’s Ethereum and Polygon deployments, giving them the opportunity to steal assets deposited by other users.
This morning our contract has been exploited. We are sorry to our users who have deposited funds. The team is investigating and will try our very best to get the stolen funds back. We thank our community for your support.
— MonoX (@MonoXFinance) November 30, 2021
According to blockchain security researcher Mudit Gupta, a bug in MonoX’s contracts result in the protocol quoting incorrect prices during a token swap.
MonoX uses a single token to represent the token deposited or withdrawn from a liquidity pool. This reliance on a single token affects the process of updating asset prices, and presented an opportunity for the hacker to artificially pump the price of the MonoX token in the system.
After executing several trades that inflated the price of MonoX in the system, the hacker was able to “trade a few dollars of MonoX tokens for a few million dollars of other tokens because the system incorrectly thought that MonoX is a super expensive token,” Gupta explained.
The security exploit comes less than 24 hours after the project announced it had received a grant to launch its protocol on the Harmony network.
MonoX Drops 20% in Aftermath
As one would expect, the negative development had an impact on the price of MonoX’s native token, $MONO. Data from Coingecko reveals that the token’s value has dropped by over 20% in the wake of the exploit.
The latest security incident involving MonoX adds to the unending list of DeFi exploits witnessed since the emergence of the industry. Last month, another project, Indexed Finance, lost $16 million to a similar pricing vulnerability.