PAID Network exploiter nets $3 million in infinite mint attack

Published at: March 5, 2021

Paid Network, a DeFi platform aimed at real-world businesses, has been exploited today in an “infinite mint” attack that has sent PAID token prices plunging upwards of 85%.

While the exploit netted nearly $180 million in PAID tokens at the time of the attack — what would have comfortably been the largest exploit of a DeFi protocol — the hacker’s payday will end up being far less. One observer noted that the attacker’s wallet only converted some of their tokens to wrapped ether, leaving the rest in rapidly-devaluing PAID tokens: 

Summary of $PAID incident:Total PAID swapped to WETH: 2079.603371141493 = $3,104,887.33Total PAID left in account: 594,717,455.71 = $24,313,147Total amount in attacker account = $27,418,034.33Stay Safe. pic.twitter.com/Lz93qGKAq0

— vasa (@vasa_develop) March 5, 2021

The attacker’s wallet still has over 57 million PAID tokens worth $37 million. 

The exploit is conceptually similar to an attack on insurance protocol Cover that took place in late December last year. In that instance, the team took a “snapshot” of holders prior to the attack and issued a new token, returning the supply of the token to pre-exploit levels.

The team confirmed on Twitter that they are currently planning for a snapshot and restoration:

We are investigating the issue. We pulled liquidity, are creating a new smart contract, & will be restoring everyone's original balances to before the hack.Those with staked, Lpool & UniFarm $PAID will have their tokens be sent to them manually.We will share more updates soon

— PAID NETWORK (@paid_network) March 5, 2021

However, token holders anxious for a resolution may be out of luck. Some in the community are speculating that the attack on PAID wasn’t an exploit at all, but instead a “rugpull” — a colloquial term for an insider designing contracts to specifically make them exploitable and swiping user funds. 

Nick Chong of Parafi Capital noted on Twitter that Paid’s deployer contract, an externally controlled account, transferred ownership of the deployer to the attacker shortly before the mint, indicating that a member of the team either rugpulled, or errantly allowed the attack to take place with a security lapse:

Paid Network's deployer, an EOA, transferred ownership of a contract to the attacker 30 mins before the minthttps://t.co/h14GdV4fCf

— Nick Chong (@n2ckchong) March 5, 2021

Additionally, a DeFi risk analysis account @WARONRUGS warned of exactly this exploit in late January, noting that the contract owner can mint PAID tokens at any time:

❌ Scam Advisory #86- PAID Network $PAID (0x8c8687fC965593DFb2F0b4EAeFD55E9D8df348df)Reason: The owner can mint tokens and did mint tokens to fresh wallets who never bought the presale. Contract is behind a proxy.Likeliness of losing all funds: Very HighDYOR. #WARONRUGS❌ pic.twitter.com/YQunjpWuxY

— #WARONRUGS❌ (@WARONRUGS) January 25, 2021

An on-chain note sent to the attacker has ominously warned that “the LAPD will be in contact with Kyle Chasse very shortly.” Kyle Chasse is the CEO of Paid Network.

Paid Network did not respond to a request for comment by the time of publication. 

Tags
Related Posts
The importance of decentralized oracles: Interview with Sergey Nazarov
Chainlink co-founder Sergey Nazarov believes that increasing the decentralization and scalability of oracle technologies are key to ensure trust in the DeFi ecosystem. Oracles play a key role in the correct functioning of DeFI protocols by connecting them to real-world data. However, the trustworthiness of oracles becomes compromised in instances where they rely on a single data source to retrieve information. For instance, according to Nazarov, excessively centralized oracles enabled five recent flash loan attacks, which resulted in DeFi protocols losing around $40 million. Flash loans, a form of loan that does not require any collateral, can be used to …
Decentralization / Dec. 19, 2020
Harmony offers $1M bounty, but is it big enough?
The Harmony layer-1 blockchain project team has offered a bounty equal to just 1% of the $100 million in crypto stolen from the Horizon Bridge hack last week. Harmony tweeted on June 26 that the team had committed $1 million for the return of the funds that were stolen from the Horizon Bridge on Thursday. It added, “Harmony will advocate for no criminal charges when funds are returned.” We commit to a $1M bounty for the return of Horizon bridge funds and sharing exploit information. Contact us at [email protected] or ETH address 0xd6ddd996b2d5b7db22306654fd548ba2a58693ac. Harmony will advocate for no criminal charges …
Ethereum / June 27, 2022
Finance Redefined: You get hacked, they get hacked, everyone gets hacked, Nov. 11–18
If people actually used insurance against hacks, this week would definitely have bankrupted a great many insurers. In the span of one week, a total of four flash loan-enabled exploits were registered (one actually happened the week before, but wasn’t noticed until later). We have, in order, Cheese Bank with a $3.3 million theft, Akropolis with its $2 million loss, Value DeFi with a whopping $6 million exploit and finally Origin Protocol’s loss of $7 million. In total, the hackers stole $18.3 million, which admittedly, is not that much — less than the single October exploit of Harvest Finance. As …
Technology / Nov. 19, 2020
Hyperdeflationary token reDeFines decentralized finance with a solution to preserve people’s wealth
Inflation was once seen as transitory as the United States economy moved from dealing with a pandemic to more normal operations. Unfortunately, rather than lift, inflation has not alleviated in the slightest as many citizens have seen a hike in the prices of food, toiletries and other necessities, with wages that have not risen to match. Many economists have since recognized that inflation may persist long into the new year. Inflation itself is to be a product of the world bracing for an economic downturn, only to be met with a quick recovery led by increases in government spending. Businesses …
Ethereum / Nov. 16, 2021
Aurora pays $6M bug bounty to ethical security hacker through Immunefi
On Tuesday, Ethereum (ETH) bridging and scaling solution Aurora announced it had paid out a $6 million bounty to ethical security hacker pwning.eth, who discovered a critical vulnerability in the Aurora Engine. The exploit allegedly placed over $200 million worth of capital at risk. The sum was paid in collaboration with Immunefi, a leading platform for Web 3.0 bug bounties, with more than $145 million bounties available and over $45 million bounties paid out. On April 26, Immunefi received a report from pwning.eth about a critical flaw in the Aurora Engine that would have enabled the infinite minting of ETH …
Blockchain / June 7, 2022