Everything that happened. (01.01)
Thank you to everyone who supported me and motivated me to launch the v2, sincerely. I would not have been able to do it without you.
We have to recap everything that happened yesterday, in chronological order.
- A white hat hacker (@SquirrelDeFi) contacted me yesterday saying that he found a critical bug in the contract. He precised that all LPs were at risk (≈ $2m)
- We agreed on a bug bounty, and he showed me the bug.
- I realized it was real and all LPs were definetely at risk if nothing was done.
- I sent him the bug bounty (5k gfarm) as agreed (https://etherscan.io/tx/0xe4b2c748dbda16167e6717f4d866b2b8501298351f4c85779491d0a6097b58a8)
- I sold 25% of the dev fund’s wallet tokens (< 5% price impact) in order to start the v2 with a small fund. It will be mainly used for community contests and bug bounties.
- I told everyone in the telegram group to unstake and sell their LPs, and put it as well on the website.
That’s it. If I hadn’t do this, $2m of LPs would have been drained by a hacker and everybody would have lost everything.
In fact, the attack had already begun. I realize this now, because I was finding suspect that the same address had opened almost 100 trades in 24h.
Someone had already found the vulnerability but didn’t have time to drain the LPs, because the attack requires a lot of funds and takes some time.
In fact, it requires the hacker to repay a flash loan with his own money, but since he can open as many trades as he wants, wait 3 blocks, close them all at the same time, and secure profits that he can withdraw 3 blocks later, this is a profitable attack.
I think that such a hack, that requires the hacker to pay the flash loan with his own money, never happened in DeFi. This kind of vulnerability is extremely rare.
The maximum position size was thought exactly to protect us against this, but since a smart contract could deploy thousands of other smart contracts, and open thousands of trades, the maximum position size was useless.
To fix the vulnerability, we will prevent smart contract from opening trades, and we will restrict the number of opened and closed trades to 10 per block.
This trading platform is the first of its kind, we have truly invented a brand new DeFi product. Same for the GFARM NFTs.
But with every new DeFi innovations come the potential bugs and hacks.
Exactly as YAM (one of the first yield farming protocol) was hacked, we are the first decentralized leverage trading platform combined with yield farming and the burning / minting of tokens, and there unfortunately was a vulnerability that I didn’t see coming.
A 2nd medium post is coming soon with the details of the v2 and how we will learn from our mistakes.
Thank you for reading,