Real Exploit or a Rug Pull – The PAID Network Attack

Entire crypto Twitter was stunned on 5 March 2021 when PAID Network, the very popular dApp ecosystem acknowledged that its token smart contract suffered an attack. According to the official tweet, close to 60 million PAID tokens worth $37 million (at that time) were wrongly minted and some of these were then sold on Uniswap. The PAID Network Attack Postmortem report was released today. It unveiled that the attack was not a result of code compromise but a leaked private key.  

The report explains that the private key of the Paid Network original contract deployer was basically compromised. Using this private key, the attacker then leveraged the upgrade function of the smart contract. Following this, the attacker upgraded to a new smart contract that was capable of burning and re-minting tokens.

As soon as the attacker took control of the Paid token contract, he minted over 59,471,745.571 PAID tokens and started selling them on Uniswap. The attacker sold 2,501,203 $PAID tokens before the team discovered the attack. To minimize the damage, the Paid Network team immediately pulled the liquidity from Uniswap.

Combating the damage

Paid Network team called in 5 industry experts to further safeguard the users funds and determine the steps ahead. According to the report, two vulnerabilities led to this attack:

  • A compromised private key of the token contract
  • Failure of the key management process

To combat the damages, the network now plans to take the following steps:

  • The Paid Network now plans to relaunch its token. This will invalidate the PAID tokens held by the attacker. Also, the v1 $PAID token holders will receive the airdrops of v2 $PAID tokens.
  • Along with that, the team will move the control of the new token contract to a multi-sig. The new contract will basically be now controlled by members of the PAID Network C-level team.
  • Additionally, the team is working on enhancing the security and audit process.
Did you buy PAID tokens around the time of the attack?

If you are someone who bought the PAID tokens on 5 March close to 20:00 UTC on Uniswap, there is a chance that you could have bought some of these incorrectly minted tokens. To confirm the same, you need to have a look at your transaction on Etherscan.

Check out the contract from which you purchased the token.

If the address from where you purchased the token is this “0x8c8687fc965593dfb2f0b4eaefd55e9d8df348df”, then you have bought the incorrectly minted tokens.

Real Exploit or a Rug Pull

The community that waited patiently 33 hours for the PAID Network team to explain the reason behind the exploit is not very happy about the report. Some of the community supporters are the heart broken that till now PAID Network was using a non-multisig token contract. Furthermore, a part of the community is not happy with PAID team not disclosing details on how the private key was leaked.

Richard Heart, founder HEX.com voiced his opinion quite strongly on Twitter. According to Richard, if the token holders lose their money just because PAID Network lost their keys, then this setup fails the entire doctrine of cryptocurrencies.

 

More doubts seem to be fueling the fire

According to Twitter channel @waronrugs, they have evidence that $PAID exploit was an insider attack. The Etherscan link shared by Waronrugs shows that the Paid deployer transferred the ownership of the proxy contract to another wallet. This was then changed with the malicious wallet address.

 

We believe PAID Network will soon come out with an explanation about this. However, the damage has been done as PAID token lost over 92% of its price value in the last 7 days.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.