DODO noted in an announcement today that the majority of its V2 Crowdpools, including WSZO, WCRES, ETHA, and FUSI pool, were targeted in the attack, while other Crowdpools were spared.
Details of The Attack
Explaining how the hackers carted users’ funds, the Ethereum-based on-chain liquidity provider said the criminals took advantage of the bug in the affected V2 pools.
Per the announcement, DODO noted that the bug made it possible for the ‘init() function’ to be called multiple times, making it possible for criminals to create fake tokens.
DODO said after the fake tokens were created and used to initialize a smart contract using the init() function, its sync() function was also deployed to set the ‘reserve’ variable.
The malefactors used the init() function to re-initialize the transaction. Still, this time around, it involved real tokens in affected pools, which were subsequently transferred from the pools and bypassing its “flash loan check.”
Since users created all the affected pools, DODO has temporarily suspended the pool creation portal on its platform as part of measures to prevent any further attack.
Interestingly, one of the perpetrators had contacted DODO and promised to return some of the stolen funds of about $1.8 million to the exchange.
However, DODO is not relenting as it has contacted its security partners to recover all the funds stolen from its Crowdpools. The exchange reassured users that it is in control of the situation, saying that trading will proceed as always.
Attacks on DeFi Protocols
The recent event is one of the many attacks that have been carried out on various decentralized protocols.
It seems these protocols are too eager to commence operations due to the massive opportunities in the space that they forget to cover some major flaws in their project that could lead to loss of funds.