$31 000 000 USD





"MonoX is a new DeFi protocol using a single token design for liquidity pools (instead of using pool pairs). This is made possible by grouping deposited tokens into a virtual pair with the vCASH stablecoin. Our first use case for single token liquidity pools will be an Automated Market Maker - Monoswap, which is set to launch in October 2021. In the future, we will be launching lending/borrowing and derivatives products."


"An attacker exploited a vulnerability in MonoX Finance's smart contract to inflate the price of its digital token and then cash out."


"BLOCKCHAIN STARTUP MONOX Finance said on Wednesday that a hacker stole $31 million by exploiting a bug in software the service uses to draft smart contracts."


"The past 24 hours have been difficult, and we’re simply at a loss for words. No apologies and no amount of words can describe how the team has been feeling since the attack transpired. We started building over a year ago with a mission to make DeFi more accessible to users and projects. We appreciate all the support we have received along the way from friends, partners, investors and our community of users."


"First, we wanted to give you a quick breakdown of the addresses that have lost funds and each of these wallets are on top of mind to make right. 406 ETH and 15,523 Polygon addresses have been affected by the hack, and of these addresses, 42 ETH and 2,653 Polygon have been actively LPing in more than just 1 pool. Roughly $31M was drained from the pool as a result of the hack."


"The exploit was caused by a smart contract bug that allows the sold and bought token to be the same. In the case of the attack, it was our native MONO token. When a swap was taking place and tokenIn was the same as tokenOut, the transaction was permitted by the contract."


"Any price updates from swap from tokenIn and tokenOut were independently verified by the contract. With tokenOut being verified last, this caused a massive price appreciation of MONO. The attacker then used the highly priced MONO to purchase all the other assets in our pool and drained the funds. The attack was completed through a script, and was highly organized."


"As a new start up that had only launched our product for 2 months, we are in a tricky situation. Immediate remuneration of $31m to our users and investors is not possible. We also have to be conscious of compensating users with $MONO immediately because that would cause a downward death spiral of the token as users liquidate the $MONO. However, we are working on a strategy to pay back our users in full over time."


"If we can’t recoup the funds by 1/3/2022 we will issue a debt token dMONO for every dollar we are compensating. This token will be non-transferable, and we will deploy a dMONO vault."


"The way our protocol works, we are around 100x more profitable than a regular DEX with a similar TVL. When we relaunch again we will be buying back MONO using our revenue and sending MONO to this vault. Any holders of dMONO can withdraw from the vault at any time by burning their dMONO. When a withdrawal is done it is not reversible. If you choose to withdraw your dMONO before it reaches the owed value, it means you are forgiving the remaining portion of the debt."


"MonoX developers are working to implement new functionality to prevent exploits in the future. We will also be implementing new features to minimize LP risk by offering protocol-owned liquidity via bonds. More details on this to come in the near future."


"We have started to work with Immunefi and will offer an ongoing bug bounty for our product. We will scale the bug bounty amount as our TVL increases." "In the future, we will scale out TVL more slowly and are actively seeking ways to match higher insured amounts for the pool."


"The next iteration of the MonoX protocol will be launched with the utmost attention to security and detail. MonoX will relaunch only after a considerable effort from its developers and safety partners is spent to ensure robust security."

The blockchain project MonoX had their smart contract hot wallets breached and $31m of user funds were taken. As a new project, they didn't have much funds available to assist their users, however they are working on a compensation plan.


There are a number of ways to prevent and mitigate this situation. It is far more secure to have the majority of funds in a multi-signature wallet where keys are stored offline by multiple operators. This would limit the potential loss to only those funds being actively within the hot wallet. Audits can be used to reduce the risks on the hot wallets further, and we advocate at least 2 reviews would be required prior to a project launch. We also propose a comprehensive industry insurance fund which could be available to assist.


Check Our Framework For Safe Secure Exchange Platforms

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.