Buggy contract: DODO loses $3.5 million in recent exploit

0
22
  • Several DODO V2 Crowdpools have been exploited, resulting in the loss of about $3.5 million.
  • The exchange expects to recover about $1.8 million of the drained funds.

One of the leading decentralized exchanges (DEX), DODO, has confirmed an attack today that resulted in the loss of millions of dollars from some of its V2 Crowdpools. As the exchange team explained in an announcement on Tuesday, there was a bug in the smart contract, which allowed the exploiter to successfully perform the attack. The DEX, which also runs on the Binance Smart Chain (BSC), just became the latest platform exploited in the decentralized finance space.

DODO blames a bug on V2 Crowdpooling smart contract

As explained, the following DODO V2 Crowdpools were affected in the recent exploit – the WSZO, WCRES, ETHA, and FUSI pool. The reported bug in the smart contract allows the exploiter to the init() function to be called multiple times, meaning the pools may have been attacked when:

“Exploiter creates a counterfeit token and initializes the smart contract with it by calling the init() function. Exploiter calls the sync() function and sets the “reserve” variable, which represents the token balance, to 0. Exploiter calls init() again to re-initialize – this time with a “real” token (i.e., tokens in DODO’s pools). Exploiter uses a flash loan to transfer all real tokens from the pools and bypass the flash loan check.”

Trading unaffected

About $3.8 million were drained from the affected pools, according to the announcement. However, the exchange expects to recover $1.88 million of the funds drained. Regardless of the incident, trading on the decentralized exchange wasn’t affected. Neither were the “wallet addresses that have given DODO approvals” affected. The native token of the exchange, DODO, doesn’t seem to be affected by the exploit.

During press time, it was trading at $4.03 on Coinmarketcap, with a 24-hour price change of about two percent.