Thank you for your trust and support during this time. We have concluded our investigation in response to the attacks on some DODO pools on the morning of March 9 (Singaporean time). The root cause was that the Crowdpooling contract init() function did not have a check for repeated calls, resulting in the attackers being able to re-initialize the contract and execute exploits with flashloans.
A total of three individuals (wallet addresses) were involved in these attacks: one hacker and two trading bots. $3.8 million worth of assets were initially stolen, but we can confirm that the owners of the two trading bots have returned about $3.1 million to us. We will be referring to them as the 0xb1a and 0x355 trading bots respectively, based on their address prefixes.
The 0xb1a Trading bot
Asset Return Transactions:
The 0x355 Trading Bot
Asset Return Transactions:
In addition, approximately $200,000 worth of stolen assets are currently frozen on centralized exchanges and the remaining $500,000 were lost at the expense of the DODO team.
All funds belonging to creators (who contributed significant liquidity for their pools/tokens) of the Crowdpools impacted will be returned to them within the next 24 hours.
In addition, a total of 7 individual users who provided liquidity were impacted. If you have provided liquidity for these Crowdpools, please contact us at firstname.lastname@example.org at your earliest convenience.
Please note that the exploits only affected the liquidity providers (LPs) of Crowdpools of the aforementioned tokens. Trading on the DODO platform is unaffected by the exploits. Similarly, wallet addresses that have given DODO approvals are unaffected by the exploits. Funds in all other pools, including all V1 pools and all non-Crowdpool V2 pools, are also safe and unaffected.
We are currently undergoing a new audit of DODO's smart contract code for its main product suite from Beosin (LianAnTech), a China-based blockchain security firm. You can find our previous audit reports here. The Crowdpooling functionality is expected to be re-enabled within one week. We have also reached out to other security firms, including SlowMist, to conduct comprehensive platform-wide smart contract audits for DODO.
We have already begun working on a post-mortem of this series of events and will be sharing it with our community as soon as it becomes available.
During our investigation and recovery process, DODO has received support from security partners, allies, and consultants: Binance, 1inch, PeckShield, SlowMist, Tina Zhen, and Samczsun of Paradigm all offered their assistance and advice, for which we are genuinely grateful.
Thank you again for your encouraging words and continued support throughout this matter. #JustDODOIt
The DODO Team