March 12th, 2021
On March 8, 2021, the DODO DEX experienced a smart contract hack. The attackers were able to steal approximately $3.8 million in cryptocurrency from several of DODO’s crowdfunding pools. Of this, approximately $3.1 million of the stolen assets has since been returned.
The attack against the DODO V2 Crowdpooling smart contract took advantage of a flaw in the init() function of the contract. This flaw allowed the function to be called multiple times with different parameters.
The attacker took advantage of this flaw via a 4-step attack:
With this process, the attacker is able to bypass the liquidity checks used for verifying flash loans. As a result, they are able to drain liquidity from DODO’s pools.
The DODO smart contract exploit is especially interesting because DODO was not the only one “attacked”. The original DODO attacker was the victim of a frontrunning attack by cryptocurrency bots.
A frontrunning attack occurs when a blockchain user identifies a transaction that has been published to the network but not yet included in a block. By creating a transaction with a higher transaction fee, a frontrunner can cause their transaction to be processed and added to a block before the original transaction.
In this case, a cryptocurrency trading bot frontruns the original DODO attacker’s transactions, setting a very high transaction fee for their transactions. This enabled the bot to make its transactions ten minutes before the original attacker.
In the end, two cryptocurrency trading bots took advantage of the original attack to perform their own exploits against the vulnerable contract. The owners of both of these bots have agreed to return the stolen funds, totaling about $3.1 million. The remaining $700,000 was stolen by the original attacker, and $200,000 is frozen on exchanges.
The DODO hack exploited a simple smart contract vulnerability. Some key lessons learned from the attack include:
A high-quality security audit is essential for preventing these types of attacks. Contact us at firstname.lastname@example.org to learn more about Halborn’s security auditing services.