PAID Network Post Mortem

CertiK | Mar 7, 2021

Article's Poster

On March 5th, 2021, PAID Network suffered from a "mint" attack caused by private keys mismanagement. The proxy owner's private keys were used (or compromised) to swap the deployed code audited by CertiK with the malicious one containing the burn and mint functions used during the attack. Such burn and mint functions were not present in the audited code. We are not able to confirm what transpired up to the point the contract ownership was transferred to the address that executed the burn and mint functions, but we can conclude these are the actions that occurred. View the full audit report in the CertiK audit report dated 01/24/21

The following post mortem will outline the objective details of the incident.

PAID Incident Timeline

The PAID Incident occurred on March 5th 2021 over the span of approximately 30 minutes.

On-chain analysis resulted in the following conclusions:

Step 1: Contract ownership is transferred to the attacker who at this point is in full control of the proxy after the private keys were used (or compromised).

Step 2: The contract gets updated via the proxy, and additional functionality is introduced.

Step 3: Attacker burns 60 million PAID so they can be the only one able to sell.

Please note that the original contract that was audited by CertiK and was deployed originally did not have any externally exposed (public/external) burn or mint functionality.

Step 4: Attacker mints coins and starts to dump PAID tokens to Uniswap for Ether

Ultimately, the attack did not exploit the smart contract code but used (or compromised) the private keys of the contract’s proxy. The original CertiK audit report had highlighted centralization issues under PTN-10: Ambiguous Functionality and various other segments.

Highlighting Centralization

Contract upgradability, such as that utilized in order to facilitate this incident, does have its place in smart contracts, particularly when it exists as intended functionality by the project. This type of functionality requires the contract owner/deployer to ensure the security of the private keys which can enable this type of incident to occur, in conjunction with the fundamental security of the code.

CertiK will continue to enhance efforts when it comes to highlighting project centralization.

Summary

On March 5th 2021 the PAID contract owner burned ~ 60m PAID tokens to ensure that those tokens cannot be sold. Shortly after, they minted 59,471,745 PAID before selling 2,401,203 via Uniswap.

The burn and mint functions did not exist in the code audited by CertiK. These were added post-audit by the attacker who used (or compromised) the private keys of contract’s proxy. Objectively, no audited smart contract code was exploited.