This article takes Soda as an example. It takes 48 hours to review contract vulnerabilities from discovery to repair to payment.
Soda Soda Horror for 48 Hours: While hacking, the giant whale increases its inventory
In just two or three months, DeFi has rapidly grown from a small outlet to the infrastructure of the encrypted world.
While DeFi grew savagely, it also exposed its existing problems-contract security.
As decentralized finance, its security completely relies on smart contracts.
So when DeFi just broke out, countless projects were rushing under the FOMO mood, which exposed contract security issues.
According to PeckShield statistics, since Compound started liquidity mining in June, the DeFi field has caused at least $4 million in losses due to contract security issues.
Deliberately, for example, the EMD (Emerald) of more than 1.2 million US dollars was transferred after 13 hours of going online.
Of course, more of it was caused unintentionally. For example, in the Soda (soda water) that happened two days ago, more than 400 ETHs were maliciously liquidated.
However, the current contract has been repaired, and the team has compensated the user for all losses.
Chain Tea House takes Soda as an example. It takes 48 hours to review contract vulnerabilities from discovery to repair to payment. It is hoped that DeFi participants can take warning and avoid risks that shouldn’t happen but are quite common.
Soda is a mortgage lending platform. It was created on Ethereum on September 15 and officially opened its first mine on September 20.
Less than 6 hours after the opening of Soda, it skyrocketed to US$500, and the lock-up amount exceeded US$80 million.
Many DeFi projects endorsed by large organizations have not actually achieved such results, let alone developed by an anonymous team.
Because Soda’s mining rules are really attractive-dual currency system.
Specifically, users can use WETH to mine SODA, then mortgage the WETH they are mining, lend out the synthetic asset SoETH issued by the platform, and then exchange SoETH for more WETH to mine more SODA.
To put it simply… you can magnify the principal by 3.5 times.
So Soda was in C position as soon as he debuted, but never thought that this would be the peak, because contract loopholes were quickly discovered.
At 5 pm on September 20th, a Weibo user called Xhuo Xhuo issued a risk warning about the Soda.finance (Soda) agreement.
«Don’t pledge WETH to borrow SoETH. There are loopholes in the contract. Others can liquidate your loan bill at will.»
Waste X was the first to discover the loophole and inform Soda official, but he himself did not use loopholes to attack profit (just liquidated an ETH for demonstration).
Because Soda officials did not respond in the first time, so X was selected to make the risk warning public.
According to the chain teahouse, Soda officially learned the news in Soda’s discord group, because some users transferred the above Weibo screenshots to the group.
But at the time, the user group generally believed that it was hacked because of the hot project, so they didn’t care.
But an hour later, Soda officially confirmed the existence of the bug, which caused a panic capital flight.
At that time, the mortgage assets in the WETH pool exceeded 10 million U.S. dollars, and the SoETH loaned out was close to 7 million U.S. dollars.
In other words, in theory, hackers can make a profit of several million dollars by initiating a liquidation to harm more than 10 million dollars in assets.
So in the next few hours, SODA’s currency price fell from 400 US dollars to 50 US dollars, and a large amount of locked-up funds also fled, directly cut in half.
Although Soda officially released a patch and deployed new smart contracts at 4 am that night, users still couldn’t breathe a sigh of relief.
Because the smart contract has a time lock, this means that it will take at least 48 hours for the patch to take effect.
So in these 48 hours, hackers will take advantage of the loopholes to profit at any time.
In fact, at least 6 hackers tried to profit from the attack that night.
At the same time, there are also some who are bold and talented, and instead of retreating, they have increased their positions.
So there were still one or two thousand SoETH in circulation.
For example, a giant whale directly loaned about 861 SoETH at a time that night, which means that he had to mortgage at least 1230 WETH, and these 1230 WETH may be liquidated by hackers at any time.
Taking chestnuts from the fire of this giant whale will naturally bring high returns-more than half of the income in the SoETH-ETH-UNI-V2-LP pool in the next two days.
So who will win the contest between hackers and giant whales?
After a long 48-hour wait, the patch finally took effect.
The contest between hackers and giant whales has finally settled.
According to Soda’s official statistics, there were 14 users who were damaged by the contract vulnerability. The total amount of WETH liquidated was 448, and the actual damage was 134.5 WETH (because the 70% of the SoETH lent by users no longer need to be repaid, and The currency price of SoETH is slightly higher than that of WETH).
Soda officials also proposed a compensation plan: to compensate users for the WETH lost by SoETH, which is 30% of the total liquidated.
According to the chain tea house, most users have accepted the above compensation plan as of press time.
So the matter should have settled, but Soda suffered a heavy blow, and the price of SODA dropped from the original US$300 to US$7, which is nearly 50 times smaller.
To make matters worse, the leaking of the house happened to be rainy night, and Soda was blocked by the «machine gun pool».
YFV opened SODA’s machine gun pool before Soda’s bug was fixed, and injected millions of dollars in funds. This means that the revenue from Soda’s pool can easily be sold mercilessly by the machine gun pool.
Ironically, YFV copied some SODA code and named it Drink SODA.
Soda’s official response is to increase the mining multiple of the SODA-ETH-UNI-V2-LP pool-from 5 times to 20 times, and promises to open community voting after the initial 100,000 pieces are mined to determine the remaining Release plan for 900,000 SODA coins.
Soda’s contract security issue has come to an end. Can it return to its peak with its previous advantages?
For DeFi users and project parties, the biggest lesson is that the contract must be audited.
Audit may not be a panacea, but after all, it can avoid some risks that shouldn’t be but common.