MonoX Exploit Post-Mortem (Aggregated)
Overview
Roughly $31M was drained from MonoX pools as a result of the hack on November 30, 2021. All staking pools across Ethereum and Polygon were drained, with over $31 million worth of tokens taken.
The Vulnerability
The exploit was caused by a smart contract bug that allowed the sold and bought token to be the same. In the case of the attack, it was the native MONO token.
More specifically, when a swap was taking place and tokenIn was the same as tokenOut, the transaction was permitted by the contract. With tokenOut being verified last, this caused a massive price appreciation of MONO. The attacker then used the highly priced MONO to purchase all the other assets in the pool and drained the funds.
Assets Stolen
The stolen funds included $18.2 million in Wrapped Ether (WETH) and another $10.5 million in Polygon (MATIC), along with other tokens.
Security Audits Failed to Catch It
MonoX had previously conducted audits from two smart contract auditors – Halborn and Peckshield. But neither of the two auditors was able to identify the exploit that the hacker had used to completely drain MonoX's smart contracts.
Additional sources