A Full Analysis of the MonoX Attack

Incident analysis

The attackers used the same address 0xEcbE385F78041895c311070F344b55BfAa953258 to launch an attack on MonoX on Ethereum as well as MATIC, with the same contracts deployed to conduct the attack on both platforms. The attack transactions are:

Figure 1 exchange WETH for MONO
Figure 2 _removeLiquidity source code
Figure 3 The details of internal calls to remove liquidity for the first time
Figure 4 Remove all liquidity in the MONO pool in Monoswap
Figure 5 Add liquidity in the attack contract
Figure 6 Source code of swapIn function
Figure 7 Parameter calculation of the exchange process
Figure 8 Price calculation after exchange
Figure 9 Source code of swapOut function
Figure 10 Initial MONO price
Figure 11 Repeated exchanges, raising the price of MONO
Figure 12 MONO exchange details
Figure 13 Final MONO price

Incident review

In this attack, the attackers exploited two vulnerabilities in the contract: (1) Any address can arbitrarily remove the liquidity of the specified address; (2) The override problem of price write operations in special cases.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
BEOSIN

BEOSIN

Blockchian Security · IDE · Beosin-VaaS · Formal Verification · SAS | China leading enterprise in blockchain security field