QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
UNKNOWN
JUNE 2021
GLOBAL
MAYO SWAP
DESCRIPTION OF EVENTS
"MayoSwap is an automatic liquidity acquisition yield farm running on Binance Smart Chain with lots of unique and creative features that let you earn and win."
"Each transfer of MAYO must pay a 5% transfer tax. The 4% transfer tax gets added to the liquidity pool through the contract automatically to raise the price floor continuously. And the liquidity will be locked and inaccessible." "By reducing the amount of MAYO generated per block, we slow the inflation. But we don't want to do this too frequently, too early, for the same reason we don't want a hard cap: we still need to incentivize people to provide liquidity."
"When users put their tokens into liquidity pools and stake their LP tokens in a farm, they put their crypto tokens in a bank. But this time the bank is a protocol created by someone anonymous. Especially users that move between the high-APY yield farms are at risk."
On "June 16th, multiple farms their native tokens were exploited all the way to $0.00. KetchupSwap, Lokum, YBear, Piggy, CaramelSwap. Sadly enough GoCerberus and Garuda were exploited as well." "A major exploit has affected multiple BSC farms by driving their native token prices to 0." "Cerberus, Garuda, KetchupSwap, Piggy, CaramelSwap, and a few more projects got exploited at the same time, because of mishandling of tokens with transfer tax."
"Most of the yield farms use a trusted contract called a MasterChef, which is used even by PancakeSwap themselves to distribute rewards. The problem is that the MasterChef was never designed for all these special tokens, it was designed specifically to receive rewards for LP tokens."
"But, yield farms kept popping up and adding non-LP tokens and everything was fine. Until recently tokens with a transfer fee became more popular. Most of our tokens have a transfer fee as well, it’s how we can have our tokenomics. But the problem is that the MasterChef was not designed for this."
"Due to the design of the masterchef if you stake 100 tokens (with a 5% transaction fee) in a MasterChef, you are still able to withdraw 100 tokens from the MasterChef. But due to the transfer fee, only 95 tokens actually arrived in the contract."
MayoSwap is a copy of PantherSwap. All funds are stored in a smart contract hot wallet. This contract had an error in the way deflationary tokens were handled, which caused extra rewards to be released.
All investors lost their funds as the hacker cashed out and the price of the token plummeted to zero. The project appears to be continuing to operate with a new smart contract that has since been audited by TechRate, however the project Twitter does not appear to exist.
HOW COULD THIS HAVE BEEN PREVENTED?
Hot wallets should either not store customer funds, or be insured fully.
@lewisaar0n Twitter (Sep 23)
blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 11)
What exploit happened today for GoCerberus and Garuda, also for KetchupSwap, Lokum, YBear, Piggy, CaramelSwap and our rough compensation plan | by Thoreum Finance | Medium (Aug 29)
@JohnDoughBull Twitter (Sep 23)
@WatchPug_ Twitter (Sep 23)
@DappRadar Twitter (Sep 23)
Address 0xe959d028728a58bc794dbd025e36d558cdc439d2 | BscScan (Sep 24)
Binance Smart Chain DeFi Protocol Exploited and Token Drained to $0.00 by Hackers - Fxcryptonews (Sep 24)
Welcome to Yield Farm Library - Yield Farm (Sep 24)
MayoSwap (Oct 20)
MayoSwap - MayoSwap (Nov 6)
MAYO - MayoSwap (Nov 6)
GitHub - mayoswap/audits (Nov 6)
