DODO co-founder Radar Bear reviews the crowdfunding pool attack incident

This article is from DODO, authored by Radar Bear.

There is a widely circulated article titled "Ethereum: The Dark Forest." In this article, a "Universal Trading Bot" is introduced. This bot listens for transactions that have been broadcast but not yet confirmed on-chain. Once it detects that the original transaction is profitable, it sends the same transaction with a higher gas price, completing the transaction before the original one.

The Ethereum world is like a dark forest, filled with such bots, where every move you make is secretly observed. This sounds like a cold and ruthless story, but what we are about to tell is filled with warmth and chivalry.

We Made a Mistake

Beijing Time, March 9, 8 AM.

I received a call from the community manager, saying our contract was attacked at 5 AM. I immediately called the tech team to check the specifics.

We then discovered that there was a vulnerability in the initialization function of the liquidity pool that could be called repeatedly. The attacker used a flash loan to borrow real tokens and then re-initialized the contract to replace the liquidity pool token pair with a fake token created by the attacker, thus bypassing the flash loan repayment check.

This was not an issue with the audit conducted by Peckshield, but rather a huge mistake we made by simplifying the code logic before launch, missing a permission control. We made a significant error.

Fortunately, this issue only affected part of our V2 liquidity pool's operations, and the trading module was unaffected. Moreover, only the project party was impacted, and ordinary users did not incur losses.

We immediately began to remedy the situation. The tech team recovered all funds that were still vulnerable within 15 minutes (about $80,000). Subsequently, we closed the liquidity pool entry on the product side and issued an announcement to inform users and the project party about the situation's progress.

Meanwhile, we calculated the losses, which amounted to approximately $3.8 million worth of USDT, ETH, and project tokens. We then immediately began to investigate.

Good News from samczsun

Beijing Time, March 9, 8:30 AM.

Half an hour after the incident, I received a private message from white hat samczsun, stating that a mysterious individual, whom we will call Mr. Cheetah, "accidentally obtained" one of the stolen funds worth $1.89 million and entrusted samczsun to inform us that he was willing to return it in full.

Who exactly is Mr. Cheetah, how did he obtain part of the stolen funds, and does he know the whereabouts or clues regarding the remaining stolen funds?

The Murky Course of Events

After analyzing the attack, we found that two addresses executed the attack, which we referred to as Mr. Hippo (0x368) and Mr. Antelope (0x355).

Mr. Hippo executed two attacks. Of the $200,000, $200,000 entered a centralized exchange, which we immediately contacted to freeze. The other amount of $1.89 million coincidentally matched the amount Mr. Cheetah was willing to return to us. Therefore, we speculated that Mr. Hippo should be Mr. Cheetah, and he was likely a white hat hacker.

Mr. Antelope, on the other hand, did not seem to be a bad person; his attack was executed through a "Universal Trading Bot," spending as much as 90,000 gWei in gas price to send the transaction, with a single transaction miner fee reaching 8 ETH. From the on-chain clues, it is very likely that Mr. Antelope's bot automatically front-ran Mr. Hippo's transaction, and Mr. Antelope might not even be aware of it!

This was another piece of good news for us; if we could contact Mr. Antelope, this money might also be recoverable.

The Mystery Deepens

Beijing Time, March 9, 9 PM.

After waiting for a day, we received Mr. Cheetah's refund ($1.89 million) and a message: Mr. Cheetah does not admit to being Mr. Hippo.

Now the mystery grew larger, as there were at least three parties involved in this attack! Moreover, we did not know how Mr. Cheetah obtained Mr. Hippo's assets. At that time, the only opportunity we had to establish contact was with this familiar with the dark forest rules, Mr. Cheetah.

Although Mr. Cheetah wished to remain anonymous, we conveyed our intention to establish direct contact with him through samczsun and some friends. After waiting for several hours, I received a private message on Telegram.

A Small World

Beijing Time, March 10, 1:30 AM.

I never expected that Mr. Cheetah was an old acquaintance of mine. I met him back in 2018 when I was still working as a developer at DDEX. We would discuss contract development issues together. After I left DDEX, we lost contact, and he had no idea that I became a founding partner of DODO.

Mr. Cheetah told me that Mr. Hippo was the attacker. He transferred the money obtained from the attack to a contract, which had a vulnerability that allowed anyone to withdraw tokens. When Mr. Hippo attempted to withdraw, he was front-run by Mr. Cheetah's bot, thus "accidentally obtaining" the funds.

So what about the remaining stolen funds? Just as we were discussing how to contact Mr. Antelope, he reached out to me.

The Whole Story

Beijing Time, March 10, 3 AM.

Mr. Antelope anonymously emailed me, expressing his willingness to return the funds (worth about $1.2 million). I finally breathed a sigh of relief, as the two main portions had been returned. Moreover, Mr. Antelope revealed to us many events he had monitored, allowing us to finally see the full picture of the incident.

(Here we do not list very specific txHash, as our friends wish to remain low-key.)

The real attacker is Mr. Hippo.

He executed two attacks, but both were front-run by Mr. Antelope's bot.

Mr. Hippo was very frustrated and took some time to write a contract to bypass Mr. Antelope's trading bot, and this time he succeeded. The funds fell into Mr. Hippo's contract.

However, when Mr. Hippo attempted to withdraw from the contract, he was again intercepted by Mr. Cheetah's trading bot! Mr. Antelope and Mr. Cheetah engaged in a gas war, and ultimately Mr. Cheetah emerged victorious. Thus, Mr. Hippo executed three attacks but gained nothing, all being front-run by bots in the dark forest!

Subsequently, Mr. Hippo executed two successful attacks, but the amounts were relatively small, totaling about $200,000 in profit. We are still tracing this money.

In the end, within 24 hours of the attack, we recovered $3.1 million of the $3.8 million stolen.

A Warm Dark Forest

The dark forest has many hunters, but they are not as cold and ruthless as the public imagines. Some hunters are gentle large herbivores; they are the chivalrous figures in the dark forest, intercepting stolen funds from hackers and returning them to the victims.

To this day, many still believe that the world of digital currency is filled with scammers and hackers, associated with illegal transactions, fraud, and rights protection. But in fact, there are many different roles in this forest: DeFi project parties, ordinary users, enthusiastic bystanders, skilled arbitrage bots, white hats who remain vigilant and neutral, amateur hackers who may not always be precise, and skilled professional hackers…

They collectively form an ecosystem that has its own justice and ethics, with each participant playing a role as a law enforcer to varying degrees. For honest developers, this is a warm dark forest.

Thank You All

When one side is in trouble, support comes from all directions. After the attack, we received help from many friends, and I am grateful that there are so many good people in the Ethereum community who lent a helping hand during DODO's most difficult time. We extend our highest respect to the chivalrous figures in the Ethereum community, including:

Peckshield, SlowMist, Binance Security Team

samczsun, Tina

1inch, Tokenlon, Binance, Huobi, Etherscan

And many friends who offered encouragement and comfort, even competitors who stood with us in this critical moment. This made us feel that beneath the cold code lies much warmth, a recognition of honesty, a yearning for fairness, and a valuing of credibility.

Side Story

Before Mr. Antelope returned the vETH, his bot fell into a honeypot trap specifically designed for him.

https://etherscan.io/tx/0xb081e1aaf4ea7d6b819fc0ffa8230586854130e6b7313fa23a0cc4509b8c3886

This trap used 0.05 ETH as bait, tricking 324 vETH, worth about $500,000. We do not know who designed this trap; it could be the frustrated Mr. Hippo or some onlooker.

In the end, Mr. Antelope generously shared this loss with us.

On the other hand, some researchers are building "portals" in the dark forest, such as the MEV research organization Flashbots' MEV-geth infrastructure and Spark Pool's Tai Chi. These "portals" connect transaction senders directly to mining pools, designed based on privacy transactions and optimized for transaction ordering rules, which can prevent transactions from being front-run.