March 6, 2021 | AtoZ Markets – The Paid Network, a DeFi platform targeting real-world businesses, was breached yesterday in an "infinite issuance" attack that has caused PAID token prices to drop by more than 85%.
Paid Network attacker dumped millions
While the incident generated nearly $180 million in PAID tokens at the time of the attack, which would have been the largest breach of a DeFi protocol, the hacker's loot will end up being much less. One observer noted that the attacker's wallet only converted some of its tokens to Wrapped Ether, leaving the rest to rapidly devaluing PAID tokens:
Summary of $PAID incident:— vasa (@vasa_develop) March 5, 2021
Total PAID swapped to WETH: 2079.603371141493
Total PAID left in account: 594,717,455.71
Total amount in attacker account = $27,418,034.33
Stay Safe. pic.twitter.com/Lz93qGKAq0
The attacker's wallet still has more than 57 million PAID tokens worth $37 million.
The incident is conceptually similar to an attack on the Cover protocol that took place in late December last year. In that case, the team took a "snapshot" of the holders before the attack and issued a new token, returning the supply of the token to pre-attack levels.
The team confirmed on Twitter that they are currently planning a snapshot and restore:
We are investigating the issue. We pulled liquidity, are creating a new smart contract, & will be restoring everyone's original balances to before the hack.— PAID NETWORK (@paid_network) March 5, 2021
Those with staked, Lpool & UniFarm $PAID will have their tokens be sent to them manually.
We will share more updates soon
However, token holders eager for a resolution may be out of luck. Some in the community are speculating that the attack on PAID was not an exploit at all, but rather a "rugpull," a colloquial term for an insider who designs contracts to specifically make them vulnerable and steal user funds.
Nick Chong of Parafi Capital noted on Twitter that the deployment contract for Paid, an externally controlled account, transferred ownership of the deployer to the attacker shortly before the issuance of new tokes, indicating that a team member made the " rugpull "or allowed the attack to get in with a security flaw:
Paid Network's deployer, an EOA, transferred ownership of a contract to the attacker 30 mins before the minthttps://t.co/h14GdV4fCf— Nick Chong (@n2ckchong) March 5, 2021
Furthermore, a DeFi risk analysis account @WARONRUGS warned of exactly this vulnerability in late January, noting that the contract owner can issue PAID tokens at any time:
❌ Scam Advisory #86- PAID Network $PAID (0x8c8687fC965593DFb2F0b4EAeFD55E9D8df348df)— #WARONRUGS❌ (@WARONRUGS) January 25, 2021
Reason: The owner can mint tokens and did mint tokens to fresh wallets who never bought the presale. Contract is behind a proxy.
Likeliness of losing all funds: Very High
DYOR. #WARONRUGS❌ pic.twitter.com/YQunjpWuxY
An on-chain note sent to the attacker ominously warned that "the LAPD will be contacting Kyle Chasse very soon." Kyle Chasse is the CEO of Paid Network.
Think we missed something? Let us know in the comment section below.