DODO Finance Initialization Vulnerability

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

DODO Finance

DODO offered a decentralized exchange platform, which varied from the version audited by Peckshield previously. The specific vulnerability was one which allowed the initialization to be called multiple times by outsiders. The exact series of events is complicated and involves multiple attackers and front-runners. The end result was that $3.8m was lost and $3.1m was recovered. DODO also paid bounties of $300,000.

The smart contract was ultimately relaunched after 2 audits were performed.

This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22][23][24]

About DODO Finance

"Dodo Finance is a decentralized exchange that lives on both Ethereum and Binance Smart Chain." "The exchange works by having market markers contribute to pools of funds, enabling traders to buy and sell tokens from the pools."

"[W]e had merged, after [our Peckshield] audit, several code changes to simplify the logic before going live in February, and missed this critical permission management step."

"On March 8, 2021, the DODO DEX experienced a smart contract hack." "[T]he Dodo Finance attacker was able to exploit a bug in the Dodo contract that allowed them to fraudulently mint new tokens, the attacker also used flash loans to make the most of their attack."

"After a quick probe, we discovered the root cause: the init() function in the pool creation contract could be called multiple times, leading to repeated initializations. The attackers took advantage of this and borrowed out the tokens in the liquidity pools using flash loans. The pool contract was then initialized again and counterfeit tokens created by the attackers were returned in lieu of the original tokens, bypassing the flash loan return check logic." "The bad actor creates a counterfeit token and initializes the smart contract with it by calling the init() function, then calls the sync() function and sets the “reserve” variable (representing the total balance) to 0. He calls init() again to re-initialize, this time with a “real” token, and uses a flash loan to transfer all such coins from the pools and bypass the flash loan check."

"According to reports from DODO, several V2 Crowdpools were attacked, whereas all V1 and non-Crowdpool V2 pools remained safe." "The exploits targeted several DODO V2 Crowdpools, namely the WSZO, WCRES, ETHA, and FUSI pool. Funds in all other pools, including all V1 pools and all non-Crowdpool V2 pools, are safe." "Dodo explained that a bug enabled attackers to create counterfeit tokens and use flash loans—very fast loans that occur within a single transaction—to collect real tokens."

"[T]his issue only impacted part of our V2 pool functionality. The trading module was unaffected. In addition, only project teams that worked with us during pool creation and provided liquidity for their pools saw losses. DODO users’ assets were untouched."

"Afterward, the attacker used their illicitly minted tokens and funds from the flash loan to drain the Dodo Finance liquidity pools to the tune of approximately $3.8 million."

"DODO has disabled the pool creation portal in the meantime to protect newly-created crowdpools and will now focus on recovering user’s funds with its security partner." "Trading on the DODO platform is unaffected by the exploits." "Wallet addresses that have given DODO approvals are unaffected by the exploits."

"We began our rescue and remediation efforts immediately. Within 15 minutes, our dev[eloper] team identified all the pools that were still exposed to the vulnerability and rescued the remaining funds at risk (roughly $80,000). Then, we disabled the pool creation portal on the frontend side. Our operations team sent out an announcement to inform the DODO community of this incident and reached out to project teams."

"Meanwhile, we monitored the on-chain movements of lost assets and estimated the total to be $3.8 million worth of USDT, ETH, and various project tokens."

"The story of exactly how the funds were recovered evokes a mystery novel with a villain, selfless heroes, plenty of plot twists, and ultimately, a happy ending." "Further analysis revealed that two addresses executed the attack. We will refer to these addresses as Hippo (0x368) (“Individual A” in our preliminary report) and Gazelle (0x355) (“Individual B” in our preliminary report), respectively." "Although Leopard continued to remain anonymous, we were able to directly communicate with Leopard through the help of Samczsun and other white hat friends."

"The only real attacker was Hippo. Hippo executed two attacks, but both were frontrun by Gazelle. Hippo got very frustrated and spent some time writing a contract to bypass Gazelle’s bot. They succeeded this time, and the funds went into Hippo’s contract. Hippo’s withdrawals from the contract were again frontran by bots. Gazelle and Leopard had a “gas battle”, and eventually Leopard won. By this point, Hippo had already executed 3 attacks, but got nothing to show for it, since all of them were frontrun by the bots sniping from the Dark Forest! Hippo was eventually able to execute two successful attacks, but both involved relatively small amounts, netting them a total of about $200,000. We are still exploring ways to recover these funds."

"Before Gazelle returned the drained vETH tokens, their bot was trapped by a honeypot contract designed and deployed specifically for it. This trap contact used 0.05 ETH as bait and stole 324 vETHs (worth about $500,000) from the bot. We still don’t know who set this trap — it could have been Hippo, or it could have been some other individual. We will refer to this trap-setter as Skunk. In the end, Gazelle generously decided to share the loss with us, for which we are very grateful for. Within 24 hours of the attacks, we were able to recover $3.1 million out of the $3.8 million stolen, with a further $200,000 frozen on an exchange at our request and $300,000 given as a special bounty."

On March 19th, 2021, the team "published an official statement regarding the March 9 security incident impacting DODO’s Crowdpooling contracts. Humbled by the experience, [they report they] have updated [their] security practices to the highest industry standards and are reinforcing [their] auditing processes."

"There are many predators in the Dark Forest, but they are not all as cold and ruthless as one might think. We were fortunate enough to be saved by the Good Samaritans of the bot ecosystem, who intercept stolen assets from malicious actors and return them to the victims."

"To this day, there are still many people who believe that the crypto world is full of scammers and hackers. In our opinion, such an overgeneralization is unfair. We are genuinely blessed and humbled by everyone who lent us a helping hand during DODO’s most difficult time."

"Crowdpooling Security audits completed by @peckshield & @Beosin_com. Crowdpooling has been re-enabled."




This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - DODO Finance Initialization Vulnerability
Date Event Description
March 8th, 2021 Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

The total amount lost has been estimated at $3,800,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

A bounty of $300,000 USD was paid for the discovery.

Total Amount Recovered

The total amount recovered has been estimated at $3,100,000 USD.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

General Prevention Policies

Our recommendation is that smart contracts be audited by at least 2 auditors prior to launch, a third after 3 months of operation, and an ongoing 6 month basis. By having the opinions of multiple auditors, the probability of a successful attack drops significantly. In particular, any modifications which happen after the audit should be audited again.

Smart contracts can be secured better by having the majority of funds in a multi-signature treasury structure. A bug bounty can incentivize others to find and report problems as well.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Rekt - Leaderboard (May 13, 2021)
  2. Rekt - DODO - REKT (May 16, 2021)
  3. $200 million stolen in 5 days via DeFi - CoinGeek (May 17, 2021)
  4. Important update regarding recent events on DODO – DODO (May 17, 2021)
  5. Decentralized Exchange DODO Hacked For $3.8 Million, Token Price Falls Only 2% (May 19, 2021)
  6. @BreederDodo Twitter (May 19, 2021)
  7. Explained: The DODO DEX Hack (March 2021) - Halborn (May 19, 2021)
  8. Ethereum Transaction Hash (Txhash) Details | Etherscan (May 19, 2021)
  9. DeFi Protocol Dodo Hacked for $3.8 Million - Decrypt (May 19, 2021)
  10. Address 0x3554187576ec863af63eea81d25fbf6d3f3f13fc | Etherscan (May 19, 2021)
  11. DeFi Hacks Continue: Decentralized Exchange DODO Exploited for up to $3.8M (May 19, 2021)
  12. Address 0x368a6558255bccac517da5106647d8182c571b23 | Etherscan (May 19, 2021)
  13. SlowMist Hacked - SlowMist Zone (Jun 26, 2021)
  14. blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 11, 2021)
  15. Dodo Pool Incident Postmortem With A Little Help From Our Friends (Aug 11, 2021)
  16. Rekt - DODO - REKT (Aug 11, 2021)
  17. DODO Pool Incident Postmortem: With a Little Help from Our Friends | by DODO | DODO (Dec 15, 2022)
  18. DODO Recovers Funds, Reduces Total Loss to $200K | by DODO | DODO (Dec 15, 2022)
  19. @BreederDodo Twitter (Dec 15, 2022)
  20. @BreederDodo Twitter (Dec 15, 2022)
  21. @BreederDodo Twitter (Dec 15, 2022)
  22. @BreederDodo Twitter (Dec 15, 2022)
  23. @BreederDodo Twitter (Dec 15, 2022)
  24. DODO Home (Dec 15, 2022)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=DODO_Finance_Initialization_Vulnerability&oldid=3970"