DailyCoin
Published Mar 15, 2021 05:18AM ET
Updated Mar 15, 2021 05:30AM ET
How the Meerkat, Furucombo, IYF & PAID Token ‘Hacks’ Work
This year has seen an epidemic of cryptocurrency scams, with the teams behind them claiming to be hacked. It is hard to prove with complete certainty that these were exit scams from the get-go but they certainly follow a common pattern that would lead us to question whether incompetence alone is a sufficient explanation for their failure to prevent proxy smart contract exploits that have been discussed since 2018, 2019, and even in a paper published last October.
In January, before the $PAID token ‘hack,’ its vulnerability was publicly known: “The owner can mint tokens and did mint tokens to fresh wallets who never bought the presale. Contract is behind a proxy.” ‘Behind a proxy’ means that the functions (that carry out transactions) of the smart contracts are accessed, or ‘called’, through a proxy. Also the upgradable proxy can be ‘updated’, for example by adding new functions in the proxy.
Although the functions of the smart contract themselves can not be changed, using certain exploits (discussed below), function calls to the original smart contract can be diverted to malicious functions within the proxy. Thus, you should never trust a proxy blindly even if it points to a trusted implementation because it may still be able to direct you to malicious implementations or be updated to do so in the future.
It is hard to believe that platforms such as Meerkat, Furucombo, IYF & PAID, DODODex were hacked because even if the developer was not behind the rug-pull, he/she certainly made sure that the code was vulnerable to it by implementing his smart contract behind an upgradeable proxy. It is safe to assume that if the developer had the foresight to implement this complex Ethereum proxy mechanism for future bug-fixing or updating his platform, then he/she would also have the wherewithal to take measures to protect his/her private key that allows access to upgrading the proxy. At the very least, therefore, these appear to have been ‘exploit-tests.’
All of the attacks on platforms involved updating the deployer’s smart contract by leveraging the upgradeability mechanism offered by proxy pattern smart contracts (explained here). Without multi-signature contract control, the attacker can use proxy upgradeability to ‘update’ the smart contract to burn and mint tokens or add any new functions to the code. The proxy contract was intended for developers to be able to delegate function calls to other contracts and upgrade delegates without breaking dependencies.
However, with exploits like function clashing, the proxy contract can be easily manipulated by the deployer or someone with access to the deployer’s private key to divert functions being called through the proxy.
A more detailed explanation on the inner workings of upgradeable proxy smart contracts can be found here.
Binance-based token Meerkat’s exploit put the attacker in a difficult position: Binance controls on and off-ramps to Binance Smart Chain (it’s easy with only 21 validator nodes), meaning any stolen funds were locked on the chain and impossible to convert to profits. Thus, the Meerkat team has now decided to return the $31 million in stolen user funds. The hacked Ethereum-based tokens’ users are still trying to find a resolution.
How to prevent yourself from getting rug-pulled and/or scammed
3. Make sure the token implements multi-signature contract control with keys held by people you know and trust
4. Follow War-on-Rugs on Twitter
5. Understand why and how upgradable proxy is implemented in a secure way
6. Use the HoneyBadger heuristic tool to analyze smart contracts and detect honey pot contracts on Ethereum
On the Flipside
The following recovery efforts are being made after the hacks:
Continue reading on DailyCoin
Written By: DailyCoin
Trading in financial instruments and/or cryptocurrencies involves high risks including the risk of losing some, or all, of your investment amount, and may not be suitable for all investors. Prices of cryptocurrencies are extremely volatile and may be affected by external factors such as financial, regulatory or political events. Trading on margin increases the financial risks.
Before deciding to trade in financial instrument or cryptocurrencies you should be fully informed of the risks and costs associated with trading the financial markets, carefully consider your investment objectives, level of experience, and risk appetite, and seek professional advice where needed.
Fusion Media would like to remind you that the data contained in this website is not necessarily real-time nor accurate. The data and prices on the website are not necessarily provided by any market or exchange, but may be provided by market makers, and so prices may not be accurate and may differ from the actual price at any given market, meaning prices are indicative and not appropriate for trading purposes. Fusion Media and any provider of the data contained in this website will not accept liability for any loss or damage as a result of your trading, or your reliance on the information contained within this website.
It is prohibited to use, store, reproduce, display, modify, transmit or distribute the data contained in this website without the explicit prior written permission of Fusion Media and/or the data provider. All intellectual property rights are reserved by the providers and/or the exchange providing the data contained in this website.
Fusion Media may be compensated by the advertisers that appear on the website, based on your interaction with the advertisements or advertisers.