Hackers exploited a smart contract bug in Maiar DEX causing the decentralized crypto exchange to lose $113 million. Developers took Maiar offline shortly after detecting malicious activities and later introduced an “emergency fix.” Maiar market capitalization saw a sharp decrease of 11%, or $50 million, in just one hour. The hacker exploited a smart contract to withdraw more than 1,600k EGLD tokens, which also decreased the price of $EGLD by 9.5%.
The exploit in detail
Vulnerability in VM functionality
Elrond wanted to introduce a new VM function to the mainnet called “execute on destination context by the caller.” The community discovered that the function can be called in a callback, i.e in the name of any contract. In other words, the function allowed the hacker to drain EGLD from any contract in the same shard and the victim would be helpless. This bug was widely discussed on the public Elrond Developers channel. Yet, the patch was coming in 36 hours, and the team decided not to take any action.
The Attack
The hacker targeted the largest EGLD honeypot: the egld-esdt-swap contract. They created three wallets for each shard. The three addresses associated with the exploit are erd1cura2qq.., erd1yrf9qe.., and erd16syfkd. These were later used to sell $EGLD worth millions of dollars. The hacker deployed a copy of the malicious swap contract in each address. The hacker sent transactions with callbacks that drain EGLD from the swap contracts thanks to the bug in “execute on destination context by caller.” The three addresses received 800k, 400k, and 450k $EGLD.
The hacker tried to dump, unwrap, and bridge the tokens. The plan was to use Maiar DEX to get $EGLD from the Elrond chain to Ethereum, The hacker managed to sell 951k EGLD and bridge 5.6m of USDC before the Elron team pulled the plug and Maiar DEX went offline. Due to the massive selling, the EGLD token lost almost 95% of its value in half an hour.
Maiar and Elrond’s Response
According to Beniamin Mincu, Maiar and Elrond founder, the team detected “suspicious activity,” initiated emergency protocol, discovered a critical bug, stopped the damage, and ensured the safety of the rest of the funds, and started the recovery process. Elrond removed the “executveOnDestContextByCaller” function.
Mincu assured that most of the stolen funds have been recovered and Elrond will cover the rest. Elrond offered an interesting solution for eliminating the exploit in the future. They want to match the EGLD price on Maiar with the Binance EGLD price. If Maiar’s price deviates from Binance’s price, $EGLD enters “a safe mode resync.” In other words, if DEX price differs from Binance, Maiar suspends all swaps.
DEX and blockchain Risks
Maiar is a decentralized exchange. Unlike centralized exchanges, such as Coinbase, DEX run on smart contracts with no single order book. Instead, they use pools of liquidity and algorithms to match orders among users. It turns out that Maiar DEX worked as intended in this case. The DEX was not the target of the attack. Instead, this was an exploit of a bug in the VM functionality of Elrond Network. It turns out that striving for decentralization creates high risks of bugs and vulnerabilities.