Entire crypto Twitter was stunned on 5 March 2021 when PAID Network, the very popular dApp ecosystem acknowledged that its token smart contract suffered an attack. According to the official tweet, close to 60 million PAID tokens worth $37 million (at that time) were wrongly minted and some of these were then sold on Uniswap. The PAID Network Attack Postmortem report was released today. It unveiled that the attack was not a result of code compromise but a leaked private key.
The report explains that the private key of the Paid Network original contract deployer was basically compromised. Using this private key, the attacker then leveraged the upgrade function of the smart contract. Following this, the attacker upgraded to a new smart contract that was capable of burning and re-minting tokens.
As soon as the attacker took control of the Paid token contract, he minted over 59,471,745.571 PAID tokens and started selling them on Uniswap. The attacker sold 2,501,203 $PAID tokens before the team discovered the attack. To minimize the damage, the Paid Network team immediately pulled the liquidity from Uniswap.
Combating the damage
Paid Network team called in 5 industry experts to further safeguard the users funds and determine the steps ahead. According to the report, two vulnerabilities led to this attack:
- A compromised private key of the token contract
- Failure of the key management process
To combat the damages, the network now plans to take the following steps:
- The Paid Network now plans to relaunch its token. This will invalidate the PAID tokens held by the attacker. Also, the v1 $PAID token holders will receive the airdrops of v2 $PAID tokens.
- Along with that, the team will move the control of the new token contract to a multi-sig. The new contract will basically be now controlled by members of the PAID Network C-level team.
- Additionally, the team is working on enhancing the security and audit process.
Did you buy PAID tokens around the time of the attack?
If you are someone who bought the PAID tokens on 5 March close to 20:00 UTC on Uniswap, there is a chance that you could have bought some of these incorrectly minted tokens. To confirm the same, you need to have a look at your transaction on Etherscan.
Check out the contract from which you purchased the token.
If the address from where you purchased the token is this “0x8c8687fc965593dfb2f0b4eaefd55e9d8df348df”, then you have bought the incorrectly minted tokens.
Real Exploit or a Rug Pull
The community that waited patiently 33 hours for the PAID Network team to explain the reason behind the exploit is not very happy about the report. Some of the community supporters are the heart broken that till now PAID Network was using a non-multisig token contract. Furthermore, a part of the community is not happy with PAID team not disclosing details on how the private key was leaked.
Richard Heart, founder HEX.com voiced his opinion quite strongly on Twitter. According to Richard, if the token holders lose their money just because PAID Network lost their keys, then this setup fails the entire doctrine of cryptocurrencies.
Not your keys, not your coins. Cryptocurrency was invented to remove middlemen. If you lose money when someone else loses their jeys, you are not using a real cryptocurrency. No admin keys, no oracles, is the only way to go, period. Inside job or not, it's cancer and must stop.
— R.Heart HEX.com 40% APR 352x $ in 361d ⬣🚀🌘 (@RichardHeartWin) March 7, 2021
More doubts seem to be fueling the fire
According to Twitter channel @waronrugs, they have evidence that $PAID exploit was an insider attack. The Etherscan link shared by Waronrugs shows that the Paid deployer transferred the ownership of the proxy contract to another wallet. This was then changed with the malicious wallet address.
🚨 We now have evidence that $PAID was an insider attack. Paid deployer transferred the ownership of the proxy contract to the another wallet, which then changed it with a malicious one that can rug (mint function was re-enabled) as we explained before.https://t.co/zJddXw8iU9 pic.twitter.com/Bgh1HeJd7y
— #WARONRUGS❌ (@WARONRUGS) March 6, 2021
We believe PAID Network will soon come out with an explanation about this. However, the damage has been done as PAID token lost over 92% of its price value in the last 7 days.