Back to the list

DeFi Hacks Continue: Decentralized Exchange DODO Exploited for up to $3.8M


cryptopotato.com 09 March 2021 08:48, UTC
Reading time: ~3 m

The hacks and exploits on DeFi projects continue, and the latest victim to fall is the decentralized exchange platform – DODO. The attack targeted several V2 Crowdpools, and the stolen amount could go as high as $3.8 million.

DODO Victimized by Hackers

The decentralized finance sector is no stranger to malicious attacks and harmful exploits. The decentralized exchange and liquidity provider DODO is the latest to join the growing number of victims.

As the first complaints occurred on Twitter, the project said that it had “temporarily disabled” the pool creation portal as a precautionary measure while promising that it’s working with security partners to recover the funds.

Shortly after, the DODO team explained that the attack transpired on March 8th when the undisclosed hackers exploited several V2 Crowdpool. Namely, those are WSZO, WCRES, ETHA, and FUSI. DODO managed to recover the funds in the AC pool while all remaining pools – all V1 and non-Crowdpool V2 – were safe.

PSA Regarding Recent Exploit on DODO

On March 8, Several DODO V2 Crowdpools were attacked. WSZO, WCRES, ETHA, and FUSI pools were impacted, while AC pool funds have been fully recovered.

Funds in all other pools, including all V1 pools and all non-Crowdpool V2 pools, are safe.

— DODO DEX (@BreederDodo) March 9, 2021

As far as the total stolen amount goes, the project asserted that “approximately $3.8 million, of which $1.88 million is expected to be returned, was drained as a result of these exploits.”

The post reads that one of the attackers already contacted the project and “offered to send back the funds removed from DODO pools.”

DODO said that its V2 Crowdpool had a bug that allowed the hackers to target them successfully. It worked as follows:

The bad actor creates a counterfeit token and initializes the smart contract with it by calling the init() function, then calls the sync() function and sets the “reserve” variable (representing the total balance) to 0. He calls init() again to re-initialize, this time with a “real” token, and uses a flash loan to transfer all such coins from the pools and bypass the flash loan check.

DODO found two individuals working on the exploit and noted that it’s investigating the issue with several notable industry names, such as Binance Smart Chain’s team, 1inch Exchange, PeckShield, and SlowMist.

DODO Token’s Minor Value Drop

In other recent examples of DeFi exploits, the native cryptocurrency of the project plummeted in value somewhat immediately. This was the case with PAID Network as the PAID coin crashed by more than 80% in minutes.

However, the situation with DODO doesn’t seem all that harmful for the token as far. DODO, which saw the light of day as a part of the Binance Launchpool in February, traded at $4.3 approximately at the time when news broke that the DEX was exploited.

Although it’s in the red now, DODO’s drop is significantly less harmful as it has decreased by about 7% to $4.

Back to the list