Cover Protocol Exploited With Infinite Minting Bug - Decentralise #68

40 Quintillion COVER Minted

Dec 28, 2020

Cover Protocol Infinity Mint Exploit

Cover Protocol has suffered an exploit with an attacker minting 40 quintillion COVER tokens.

The exploit targeted the project’s Blacksmith staking contract, allowing infinite token minting.

First around 2000 COVER was minted and sold through 1Inch. The price of one COVER dropped 60% to around $280, but rebounded to around $425.

Then 40 quintillion COVER was minted:

phasepunk @phasepunk

minting 40,796,131,214,802,500,000.212114436030863813 $COVER 😬 etherscan.io/tx/0xca135d1c4…

It now seems that the tokens have been burned:

banteg @bantg

The biggest exploiter has burned the tokens after cashing out 4374 ether ($3.2 million).

Cover Protocol have updated the community, urging liquidity providers to remove their liquidity.

One of the exploiters has returned $3m of funds, but the COVER supply is still ruined.

Grap.finance @GrapFinance

Next time, take care of your own shit. @CoverProtocol @chefcoverage etherscan.io/tx/0xc2fd5094c… 1. No gains. 2. The Obtained Funds from LP has been returned to COVER.

banteg @bantg

@LeverageOn @GrapFinance @CoverProtocol @chefcoverage They were not the first to exploit, there were at least three other addresses who did this earlier. So draining the pools made sense.

Cover Protocol have now announced that the vulnerability has been fixed, however they have urged people NOT TO BUY COVER. There may well be a fork to return to the pre-exploit state.

Cover Protocol @CoverProtocol

The team is still investigating the current incident. The exploit is no longer possible. The exploit is no longer possible. Please do NOT buy $COVER tokens, and remove your liquidity from the COVER/ETH pool on sushiswap. CLAIM/NOCLAIM balancer pools are unaffected

Automated Market Maker Indices

I’ve written about how in scenarios like this AMM-based indices can have the entire index drain to zero if one token collapses. That’s because the falling asset is continually bought up to maintain the fixed allocation.

Fortunately that seems to have been avoided here. Power Pool managed to pause transactions within an hour, and PieDAO’s YPIE is a PieVault which doesn’t use an AMM design. The YPIE PieVault had a 4% COVER allocation, and the team were able to act quickly to minimise losses.

PieDAO @PieDAO_DeFi

$COVER was exploited via an infinite minting bug on their incentives contract. YPIE had a very small position in COVER, the Pie not being an AMM pool had no risk of domino effect. Following an emergency vote, the position has been liquidated for $YFI. That's why we diversify.

Conclusion

I’m sorry for everyone who lost funds in this exploit.

It’s yet another reminder of the risks in this space and the necessity of diversification.

I hope that Cover Protocol can survive this as they were providing an innovative and valuable service, allowing the market to establish coverage prices for DeFi protocols. I wrote a piece explaining exactly how it works just recently.

Decentralise is sponsored by PieDAO, and today’s news demonstrates the need for diversification. The new YPIE PieVault allows native staking of the underlying assets across the Yearn Finance ecosystem, lending using Aave, Cream and other protocols, and meta-governance.