Summary
PolyDEX has been experiencing a re-entrance attack at the PLX Locker Smart Contract (fPLX). This is our detailed post-mortem analysis in order to ascertain the nature of the exploit and to prevent any similar incidents in the future. Follow-up actions and compensation plan are also laid out below.
The Incident
Time of attack: On Jun-20–2021 08:56:52 PM +UTC, a hacker with wallet address https://polygonscan.com/address/0x8a0a1eb0bae23e4e95608e3aad7fa25b0d907c6c performed the re-entrance attack on Token Locker smart contract.
The contract itself does not have issue with standard ERC20, but since PLX token is ERC777 standard, there will be tokenReceived() callback event everytime method transfer() triggered.
The attacking smart contract deployed by the hacker has included the unlockAll() trigger repeatedly (40 times) in the event, so he was able to unlock more than the amount he locked in before.
Attacking tx (https://polygonscan.com/tx/0x6b3f057683083d7f0a25e4d3898ca68308cfe2335878143466f84b3003ebe3a2):
- Step 1. Lock 15,711,384 PLX in the Locker, receive 15,711,384 fPLX
- Step 2. Unlock all 15,711,384 fPLX from the Locker, receive 1,184,289 PLX
- Step 3. In tokenReceived() call unlockAll() function
Repeat step 3 for 40 times
As a consequence almost all locked PLX in the Token Locker contract had been drained out (~50 million PLX), and immediately sold for $511k USDC and bridged to Ethereum: https://polygonscan.com/tx/0xe02124b1a2fa3c4d7f0bad162f06c96688f5911951010063ac7f65ef4b6bd1ad
Immediate actions and move-forward plan
We immediately informed Polygon in order to block the hacker’s wallet from bridging to Ethereum. However due to timezone difference, it could not be activated in time and the hacker managed to bridge the fund over to Ethereum.
We also deployed the patch immediately, due to timelock, the patch was executed too late and could not prevent the hack in time.
PLX will be upgraded to PLX v2 with a tentative deadline of Friday, June 25th, 2021, subject to thorough testing. PLX v2 will no longer use ERC777 and will not use the old Token Locker.
Further improvement on PLX v2 is increasing PLX v2 transaction tax to 1%
- 0.5% distributes to PLX v2 holders
- 0.2% to add liquidity automatically and locked forever
- 0.2% will be burnt from the circulating supply forever
- 0.1% to insurance fund
Upon launching PLX v2:
- All minting of PLX v1 will be stopped
- Users will be able to convert 1:1 from PLX v1 to v2
- Migration of PLX v1 LP to PLX v2 LP will be provided with 1 click transaction.
- UI for claiming compensation will be provided for affected users.
We will also upgrade the Router to v2. More details will be announced in a separate article.
Compensation Plan
In total, there is $500k (~50M PLX) lost in the exploit. Our plan to compensate for this loss is as below:
- Burn all the dev fund vesting since the beginning till PLX v1 end, equivalent to approximately 20M PLX
- Using all IDO fund (~$250k) with half buy PLX, and pair with the another half to provide permanent liquidity for PLX.
So in total, this will compensate for all the loss incurred.
Moreover, as a good will, we will also compensate for those provide liquidity and incur Impermanent Loss:
- The snapshot will be made at the time right before the attack happened at Jun-20–2021 08:56:52 PM +UTC.
- 10M of PLX v2 will be used to compensate Liquidity Providers from PLXv1/WETH and PLXv1/MATIC by pro rata:
- 7M PLXv2 to compensate PLXv1/WETH.
- 3M PLXv2 to compensate PLXv1/MATIC. - Users will be able to claim their compensation after PLX v2 launched. Details and guide will be provided once ready.
- Example: if user hold 1% of supply LP of PLXv1/WETH, user will be able to claim 70k PLXv2.
All users will be able to convert 1:1 from PLX v1 to PLX v2. Till PLX v2 launching, tentatively on Friday, June 25th, 2021, PLX v1 is still in business as usual. Upon PLX v2 launching, PLX v1 will be ceased and users can convert to PLX v2.
Conclusions
All other funds are SAFU. Our top priority right now is to close any possible vulnerabilities, prevent similar incidents from happening in the future and work towards restoring the value lost by our community.
We are continuing to build and grow PolyDEX as planned. Our Vision and Missions remain unchanged. We are committed to improving platform security and user experience no matter what.
Thank you for your understanding and support.
