$1 300 000 USD

FEBRUARY 2021

GLOBAL

GROWTH DEFI

DESCRIPTION OF EVENTS

"GROWTH claims to be a DeFi ecosystem on the Ethereum blockchain built to maximize yields from the top DeFi protocols, introducing liquidity provider exposure without suffering from impermanent loss." "Growth DeFi provides an easy way to maximize the yield users can generate with their tokens by using PMTs & gTokens, GRO is the token of the protocol and when staked it has governance rights over the stkGRO DAO and shares the profits generated from the fees charged in PMTs & gTokens." "[T]he project was successfully audited by Consensys Dilligence"

 

"An attacker created a Fake ERC-20 token named rAXZZ and an associated with it an Uniswap V2 Liquidity Pool paired it with GRO (GRO/rAXZZ)."

 

"Due to a vulnerability in the stkGRO/rAAVE contract — which did not properly check the match between the LP assets and the token being deposited — allowed the deposit to be accepted. It was forwarded to the Uniswap V2 Router which routed (as instructed by the stkGRO/rAAVE) the swap and subsequent liquidity provision via the fake LP."

 

"The 5056 GRO/rAXZZ LP shares obtained were then mistakenly taken by the stkGRO/rAAVE contract as legitimate GRO/rAAVE LP shares. It then accepted them in exchange for 14513 newly minted stkGRO/rAAVE shares."

 

"Once on hold of the 14513 stkGRO/rAAVE shares the attacker proceeded to withdraw the 5056 GRO/rAAVE LP shares from the stkGRO/rAAVE contract using the simple withdrawal function, that returns to the staker GRO/rAAVE LP shares and burns the provided stkGRO/rAAVE shares."

 

"The team will further review the contracts and provide a new deployment for the staking contracts at the right time."

 

"We have decided to migrate rAAVE to a new token called gROOT which won’t rebase, this is being done to mitigate future vulnerabilities that may come up otherwise with rebasing."

 

"We have taken snapshots of the farming LP balances before the exploit happened. 1.4 MM $ was drained by the attacker, of which 12% was from users (168,000 $). We will issue 168,000 SAFE proportionally to the stkGRO/rAAVE tokens held in the farming contract before the exploit happened."

 

"SAFE tokens will be airdropped to BSC wallets. SAFE tokens will be bought up in the future for up to 1$ each as the protocol earns fees from the different products it offers, it won’t be instant but eventually all of the tokens will be bought back and destroyed."

 

As one affected user Francis said, "We should be getting the value of our gro back at the time the snapshot was taken before the hack. You are penalising investors for the hack by paying us the value after he had market dumped everything and crashed the price. Or at the very least you should pay us back in $gro like we deposited, so we have the chance for the price to rebound and recover our money. This way you are capping our compensation at like 15% of what we put in. This was an error on your part and you are penalising us for it. This isnt making things right?"

A successfully audited smart contract still contained an exploit. This exploit enabled a very smart individual to extract funds from the platform's hot wallets. That smart individual decided to keep the money.

 

Affected users are given the equivalent of 15% of their money back.

HOW COULD THIS HAVE BEEN PREVENTED?

It's impossible to prove definitively that a smart contract is secure, and smart contracts operate live, enabling a hacker to steal funds immediately.

 

On the other hand, an offline air-gapped wallet is not remotely reachable, and when setting up so multiple signatures are required for withdrawals, this can prevent theft by any single individual.

 

Check Our Framework For Safe Secure Exchange Platforms

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.