Quadriga Initiative Logo.png

QUADRIGA INITIATIVE

CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM

A COMMUNITY-BASED, NOT-FOR-PROFIT

$300 000 USD

OCTOBER 2021

GLOBAL

GLIDE FINANCE

DESCRIPTION OF EVENTS

"Glide into a new kind of finance. The first native farm and exchange on Elastos." "Glide Finance is a Decentralized Exchange / Automated Market Maker, Yield Farming, and Staking platform running on the Elastos Smart Chain (ESC) that aims to accelerate adoption of the Elastos ecosystem by acting as a source of liquidity for users and the projects built on it. We're invested in building a strong foundation with our GLIDE token as a governance token, diverse farms, a built in bridge, and more features down the line."

 

"Elastos is a multi-chain ecosystem, which provides secure, fast transactions with extremely low transaction fees. The Elastos Smart Chain is one of many components included in the Elastos SmartWeb, a fully decentralized internet where users are the owners of their own identity and data." "ESC is a sidechain to the Elastos mainchain that supports Solidity smart contracts. Consensus runs on DPoS to deliver a high-performance, scalable smart contract execution solution for the Elastos ecosystem." "Glide was built for Elastos exclusively. 80% of all swap fees on the platform are converted to $ELA and shared with platform users."

 

"Our #DEX contracts will be audited by Paladin Blockchain Security @0xPaladinSec. We chose them for their top-quality audit reports and close relationships with @RugDocIO and @avalancheavax. They will help us ensure that #Glide is safe to use so we can build out #DeFi on #Elastos" "We take your asset safety seriously, so we had our contracts reviewed by one of the leading security organizations."

 

"The exchange is a set of smart contracts based on Uniswap V2 that allows any combination of two tokens to be swapped." "Deposit your assets into liquidity pools to earn trade fees and support the growth of the Elastos ecosystem." "Earn GLIDE tokens for liquidity mining and staking, or earn other tokens by supplying GLIDE to special partnership pools with other projects building on Elastos."

 

"We're pleased to announced our launch details. Site live: October 15th at ~18:00 UTC Farming start: Block #9000000 (~October 20th 0:00 UTC)" "We're making a slight parameter change before we deploy official contracts. The swap fee will be reduced from 0.3% to 0.25%." "Official contracts have been deployed and listed. Website will be available for public use tomorrow at https://glidefinance.io, with $GLIDE farming set to begin at #ESC block #9000000 on the 19th." "The website is now live and open for cross-chain bridging from @ethereum and @HECO_Chain, pooling, swapping, and pre-staking in farms."

 

"Glide Finance, a DEX on the Elastos Smart Chain (ESC) was exploited due to the team making a fee-change parameter post-audit but failed to update a number on a contract to 10,000 from 1,000." "[A] theft of funds totaling around $300k shortly after opening up for liquidity deposits." "This attack vector was introduced while updating the fee structure of the AMM smart contracts."

 

"This morning Glide was exploited and funds were drained from the pair contracts. We have diagnosed the root cause, and this is 100% our fault, not @0xPaladinSec. We made a fee parameter change post-audit and failed to update a number from 1000 to 10000 on the contract."

 

"The project is now contacting cryptocurrency exchanges to block transfers and has asked its users to withdraw any funds still deposited in Glide liquidity pools."

 

"We've compile a list of affected addresses and lost asset balances." "The loss amount appears to have been around $300k. We're in the process of contacting exchanges to block transfers but it is unknown at this stage if anything will come of this." "Please withdraw any funds still deposited in Glide liquidity pools."

 

"We have not yet determined how reimbursement and/or resolution will occur but we are working on it. Stressful day all around, just know that we'll do what we can to make everyone whole again." "We're going to find a way to recover from this. We're not yet comfortable with accepting donations from your own funds or projects. What we'll need more than anything else is liquidity when we re-launch, so that's probably the best way everyone could help out." "We will be outlining a recovery plan for those affected, as well as reaching out to the audit organization and asking them re-certify that the contracts are safe but for the single errant digit."

 

"We've published an article outlining our plans to recover from this event and re-launch the platform. Please have a read below if you were affected or are interested in becoming a $GLIDE bond holder." "Full reimbursements have been issued to the lower balance accounts. Please check your wallets. In addition, a total 45,810 GLIDE-BOND tokens (representing 45,810 ELA) have been airdropped to the larger accounts."

 

"All users who experienced losses up to $1000 will be reimbursed in full in each of the assets they lost. Of the 73 accounts affected (list may be viewed here), this will cover 52 of them." "Full reimbursement of accounts <$1000 and distribution of GLIDE-BOND tokens to accounts >$1000 will occur this Friday (October 22nd)."

 

"The remaining 21 accounts with losses exceeding $1000 will be airdropped GLIDE-BOND tokens that will be representative of the assets lost, but denominated in ELA. The price conversion will take place at the time of the airdrop. For instance, if a user lost $1000 worth of stablecoins, and the price of ELA is $5 on the spot market, the user will receive 200 GLIDE-BOND tokens. After this event, the underlying value of the GLIDE-BOND tokens will be 1 ELA, regardless of ELA’s price movement."

 

"Bond holders will receive weekly airdrops of GLIDE (interest on their debt) and ELA (repayment of principle). Token rewards and principle will primarily come out of the team’s development fund, with a lesser amount to come out of the community treasury if necessary."

 

"Yesterday the blockchain team upgraded the explorer (https://esc.elastos.io) to a new version that fixed the contract verification issue and also enabled read/write access using injected wallets (i.e. metamask)." "This is what we've been waiting for to relaunch, and is also a critical feature to make ESC more DeFi-friendly in general. This means users can always interact with contracts directly in the event a DDoS-type attack were to force a web app offline, similar to etherscan." "We've re-deployed & verified our contracts, and will announce dates/times for re-launch tomorrow. It'll be early next week." "We'll also be making some minor adjustments to the LP pairs at launch. GLIDE-USDC will be removed (to be added later on) and FILDA-ELA will be added. FILDA will also be included as one of the default bridge pairs."

 

"@FilDAFinance completed an internal audit of our contracts and found no issues. We're ready to re-launch. #GLIDE will re-open for deposits on Monday (Nov 1st) and farming will begin at block #9255555 (around 6 PM UTC on Wednesday, Nov 3rd)"

 

As of November 1st, "We're live at https://glidefinance.io for bridging, liquidity deposits and prestaking. $GLIDE farming will begin at #ESC block #9,255,555 (2 days from now). Remember to double check swap prices while liquidity remains low!"

 

"The GLIDE-USDC farm will return with a 4x multiplier. Pre-staking will open soon and farming will begin in ~24 hours (17:00 UTC Dec. 2nd)."

Glide Finance, despite an audit from Paladin Blockchain Security, still fell victim to having their smart contract hot wallets drained. The drainage happened shortly after their project launched. They've managed to reimburse the majority of affected users, however the minority with larger losses have received bonds instead, that are slowly being repaid.

HOW COULD THIS HAVE BEEN PREVENTED?

There are a number of ways to prevent and mitigate this situation. It is far more secure to have the majority of funds in a multi-signature wallet where keys are stored offline by multiple operators. This would limit the potential loss to only those funds being actively within the hot wallet. Audits can be used to reduce the risks on the hot wallets further, and we advocate at least 2 reviews would be required prior to a project launch. We also propose a comprehensive industry insurance fund which could be available to assist.

 

Check Our Framework For Safe Secure Exchange Platforms

https://blog.insurace.io/security-incidents-in-october-cfed829449d0 (Dec 16)
Glide Finance (Dec 29)
Introduction - Glide Finance (Dec 29)
audits/Paladin_Glide_Finance_Final_Report.pdf at master · glide-finance/audits · GitHub (Dec 29)
@GlideFinance Twitter (Dec 29)
@GlideFinance Twitter (Dec 29)
@GlideFinance Twitter (Dec 29)
@GlideFinance Twitter (Dec 29)
@GlideFinance Twitter (Dec 29)
@GlideFinance Twitter (Dec 29)
@GlideFinance Twitter (Dec 29)
@GlideFinance Twitter (Dec 29)
@GlideFinance Twitter (Dec 29)
@GlideFinance Twitter (Dec 29)
@GlideFinance Twitter (Dec 29)
Launch Details - Glide Finance (Dec 29)
Glide Finance - Lost assets - Google Sheets (Dec 29)
Recovery And Re Launch (Dec 29)
Introduction To Glide Finance (Dec 29)
Automated Market Maker Glide Finance Exploited, Post-Mortem Reveals It Was The Teams Own Fault (Dec 29)
@peckshield Twitter (Dec 29)
Glide Finance Exploited For 300 000 (Dec 29)

Sources And Further Reading

More case studies

DiamondFxPro/DybitFX Fake
Bitcoin Broker WonderWolf46

MaskByte
Discord Hacked

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.