Cover Protocol Hack — December 28, 2020
Incident Overview
On December 28, 2020, a bug was exploited in the Cover protocol's liquidity mining/farming contract called Blacksmith, with multiple hackers using the bug to mint practically infinite tokens.
Technical Details
The exploit started at 08:08:12 AM UTC on December 28, 2020, and resulted in over 40 quintillion COVER tokens minted. The incident was due to a business bug in the protocol that miscalculated the reward amount for staking users through a logic error in the reward calculation.
The vulnerability, called "The Amplifier," occurred when the difference between the amount already in the pool and the amount to be deposited by the miner was great (e.g., 1 wei was in the pool and 1e18 wei was being deposited by the miner), allowing a miner to mint an almost infinite amount of tokens.
Market Impact
The price crashed from $920 to as low as $24. The attacker liquidated over 11,700 coins on the 1inch decentralized exchange aggregator, draining more than $5 million from the project.
Notable Aspect
In a surprising move, the suspected attacker returned the funds with a note saying: "Next time, take care of your own shit." It appears to have been a white-hat operation with gains from the exploit already returned back to the team.
Sources