PAID Network Exploiter Raises $ 3M in Infinite Mint Attacks


Related articles

Paid Network, a DeFi platform for real world businesses, was exploited today in an “Infinite Mint” attack that saw paid token prices drop 85%.

While the exploit brought in almost $ 180 million in paid tokens at the time of the attack – which would have been the largest exploit of any DeFi protocol – the hacker’s payday will be far less. One observer noted that the attacker’s wallet only converted a portion of his tokens into wrapped ether, leaving the remainder in quickly depreciating paid tokens:

The attacker’s wallet still holds over 57 million paid tokens worth $ 37 million.

The exploit is conceptually similar to an attack on the insurance log cover that took place in late December last year. In this case, the team took a “snapshot” of the owners before the attack and issued a new token that returned the delivery of the token to pre-exploit levels.

The team confirmed on Twitter that a snapshot and restore are currently planned:

Token holders anxious to find a solution may be unlucky. Some in the community speculate that the PAID attack was not an exploit at all, but a “rugpull” – a slang term for an insider who drafts contracts to deliberately exploit them and steal user funds.

Parafi Capital’s Nick Chong noted on Twitter that Paid’s deployer contract, an externally controlled account, transferred ownership of the deployer to the attacker shortly before the coin was minted, indicating that a member of the team was either involved in the attack performed or falsely admitted to a rugpull has a security vulnerability:

In addition, a DeFi risk analysis account @WARONRUGS warned of this exact exploit at the end of January and stated that the contract holder can mint PAID tokens at any time:

A chain note sent to the attacker threateningly warned that “the LAPD will be in contact with Kyle Chasse shortly”. Kyle Chasse is the CEO of Paid Network.

Paid Network did not respond to a request for comment at the time of posting.