Ethereum-based Swap DODO has been Exploited and Drained of $3.8M
Decentralized Asset Swap platform, DODO has been reportedly exploited and drained of $3.8 million. According to DODO, the “DODO V2 Crowdpooling smart contract has a bug that allows the init() function to be called multiple times.”
“The exploits targeted several DODO V2 Crowdpools, namely the WSZO, WCRES, ETHA, and FUSI pool. Funds in all other pools, including all V1 pools and all non-Crowdpool V2 pools, are safe. In total, approximately $3.8 million, of which $1.88 million is expected to be returned.”
As a result of bug, the exploiter were able to perform the following actions listed by DODO to take advantage of the bug.
- “Exploiter creates a counterfeit token and initialize the smart contract with it by calling the init() function.
- Exploiter calls the sync() function and sets the “reserve” variable, which represents the token balance, to 0.
- Exploiter calls init() again to re-initialize – this time with a “real” token (i.e. tokens in DODO’s pools).
- Exploiter uses a flash loan to transfer all real tokens from the pools and bypass the flash loan check.”
DODO noted that Trading on the DODO platform is unaffected by the exploits.
And that two parties are behind the exploit or are the perpetrators and the funds are current in these two addresses.
It’s expected that $1.88million will be returned, however it’s just hope as it is.