Paid Network, a DeFi platform for real world businesses, was exploited today in an “Infinite Mint” attack that saw paid token prices drop 85%.
While the exploit brought in almost $ 180 million in paid tokens at the time of the attack – which would have been the largest exploit of any DeFi protocol – the hacker’s payday will be far less. One observer noted that the attacker’s wallet only converted a portion of his tokens into wrapped ether, leaving the remainder in quickly depreciating paid tokens:
Summary of the $ PAID incident:
Total PAID exchanged for WETH: 2079.603371141493
= $ 3,104,887.33
Total amount left in the account: 594,717,455.71
= $ 24,313,147
Total amount in the attacker’s account = $ 27,418,034.33
Stay safe. pic.twitter.com/Lz93qGKAq0
– vasa (@vasa_develop) March 5, 2021
The attacker’s wallet still holds over 57 million paid tokens worth $ 37 million.
The exploit is conceptually similar to an attack on the insurance log cover that took place in late December last year. In this case, the team took a “snapshot” of the owners before the attack and issued a new token that returned the delivery of the token to pre-exploit levels.
The team confirmed on Twitter that a snapshot and restore are currently planned:
We are investigating the problem. We have withdrawn liquidity, are creating a new smart contract and we will restore everyone to their original balances before the hack.
Those with staked, Lpool & UniFarm $ PAID will receive their tokens manually.
We’ll be releasing more updates soon
– PAID NETWORK (@paid_network) March 5, 2021
Token holders anxious to find a solution may be unlucky. Some in the community speculate that the PAID attack was not an exploit at all, but a “rugpull” – a slang term for an insider who drafts contracts to deliberately exploit them and steal user funds.
Parafi Capital’s Nick Chong noted on Twitter that Paid’s deployer contract, an externally controlled account, transferred ownership of the deployer to the attacker shortly before the coin was minted, indicating that a member of the team was either involved in the attack performed or falsely admitted to a rugpull has a security vulnerability:
The Paid Network deployer, an EOA, transferred ownership of a contract to the attacker 30 minutes before the minthttps: //t.co/h14GdV4fCf
– Nick Chong (@ n2ckchong) March 5, 2021
In addition, a DeFi risk analysis account @WARONRUGS warned of this exact exploit at the end of January and stated that the contract holder can mint PAID tokens at any time:
❌ Scam Advisory # 86 – PAID Network $ PAID (0x8c8687fC965593DFb2F0b4EAeFD55E9D8df348df)
Reason: The owner can mint tokens and mint fresh wallets that have never bought the pre-sale. The contract is behind an authorized representative.
Probability of losing all funds: Very high
DYOR. # WARONRUGS❌ pic.twitter.com/YQunjpWuxY
– # WARONRUGS❌ (@WARONRUGS) January 25, 2021
A chain note sent to the attacker threateningly warned that “the LAPD will be in contact with Kyle Chasse shortly”. Kyle Chasse is the CEO of Paid Network.
Paid Network did not respond to a request for comment at the time of posting.