UNKNOWN

AUGUST 2020

GLOBAL

DEGENS MONEY

DESCRIPTION OF EVENTS

"A PLACE FOR EXTREME DEGEN FUN. PLAY IF YOU DARE." "Degens.money is created for ultimate and pure degen fun. $DEGEN is the yield farming token to end all yield farming tokens."

 

"Most of the code are forked from existing protocols such as Compound, Synthetix, which have been running on mainnet without known issues. We encourage you to do your own due diligence before playing." "WARNING: DO NOT INVEST AN AMOUNT YOU CANNOT LOSE."

 

"Another such case happened with a project called Degen Money, which used a slightly less sophisticated (but not less effective) approach. Rather than developing their own smart contract, they created a frontend that made two approval transactions. One to a functioning contract, and one to a completely different address. Because many people do not specifically check the contract addresses, this allowed the attackers to drain users' wallets."

 

A Twitter user named Nik Kunkel tweeted: "Funds are not SAFU (Degen.Money). Anyone who used the UX for yield farming is exposed to a double approval exploit. The first approval is for the staking contract, the second approval lets the attacker pull that token from your wallet!" YFI founder Andre Cronje commented on this tweet, saying, "I've confirmed this is accurate. They are approving your funds to themselves, they are currently using transferFrom to take funds from users. Please revoke approvals, withdrawing your funds is not sufficient."

 

"Anyone who used the UX for yieldfarming is exposed to a double approval exploit. The first approval is for the staking contract, the second approval lets the attacker pull that token from your wallet!"

 

"Push unique friends broke the news, DeFi liquidity mining project Degen.Money use dual licensing loopholes (Double Approval Exploit) to obtain the user money. YFI founder Andre Cronje also said on Twitter that the project is indeed risky and requires manual cancellation of authorization."

 

"A malicious approve bug has been found in our UI code. Please do not use http://degens.money for any action until further notice. You can follow https://twitter.com/nomos_paradox/status/1299215849018937345 to undo the malicious approvals. We sincerely apologize for this incident."

 

"Twitter users reported that DeFi's liquidity mining project Degen.Money exploited a double approval vulnerability to get users' Money. The first authorization gives the pledge contract, and the second authorization gives the right to transfer money, which will result in the user's funds being taken away by the attacker. YFI founder Andre Cronje says the project does have risks."

The Degens Money platform was experimental in nature and required users to click past a number of warnings, at which point they gave full access to their ethereum wallet (and any held ERC20 tokens) to the platform. Once connected up, there was no easy way to revoke the granted permissions. Users had to follow the set of instructions written by another third party.

HOW COULD THIS HAVE BEEN PREVENTED?

In terms of the smart contract, this case involved unlimited permissions being granted, which is highly dangerous and exposed investors to risks they might not have realized beyond a standard liquidity pool. The vulnerable contract had not even been audited.

 

In general, smart contracts have a security profile similar to hot wallets. Human beings have a much stronger track record of detecting breaches, and a multi-sig of known individuals is generally safer than a smart contract.

 

Check Our Framework For Safe Secure Exchange Platforms

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.