CertiK Logo
CertiK Logo
Products
Blogs
Company
incident-response

Products & Technology

Featured Ecosystems

Company

English
Back to all stories
Blogs
Announcements
PAID Network Post Mortem
3/7/2021
PAID Network Post Mortem

On March 5th, 2021, PAID Network suffered from a "mint" attack caused by private keys mismanagement. The proxy owner's private keys were used (or compromised) to swap the deployed code audited by CertiK with the malicious one containing the burn and mint functions used during the attack. Such burn and mint functions were not present in the audited code. We are not able to confirm what transpired up to the point the contract ownership was transferred to the address that executed the burn and mint functions, but we can conclude these are the actions that occurred. View the full audit report in the CertiK audit report dated 01/24/21

The following post mortem will outline the objective details of the incident.

PAID Incident Timeline

The PAID Incident occurred on March 5th 2021 over the span of approximately 30 minutes.

On-chain analysis resulted in the following conclusions:

Step 1: Contract ownership is transferred to the attacker who at this point is in full control of the proxy after the private keys were used (or compromised).

Step 2: The contract gets updated via the proxy, and additional functionality is introduced.

Step 3: Attacker burns 60 million PAID so they can be the only one able to sell.

Please note that the original contract that was audited by CertiK and was deployed originally did not have any externally exposed (public/external) burn or mint functionality.

Step 4: Attacker mints coins and starts to dump PAID tokens to Uniswap for Ether

Ultimately, the attack did not exploit the smart contract code but used (or compromised) the private keys of the contract’s proxy. The original CertiK audit report had highlighted centralization issues under PTN-10: Ambiguous Functionality and various other segments.

Highlighting Centralization

Contract upgradability, such as that utilized in order to facilitate this incident, does have its place in smart contracts, particularly when it exists as intended functionality by the project. This type of functionality requires the contract owner/deployer to ensure the security of the private keys which can enable this type of incident to occur, in conjunction with the fundamental security of the code.

CertiK will continue to enhance efforts when it comes to highlighting project centralization.

Summary

On March 5th 2021 the PAID contract owner burned ~ 60m PAID tokens to ensure that those tokens cannot be sold. Shortly after, they minted 59,471,745 PAID before selling 2,401,203 via Uniswap.

The burn and mint functions did not exist in the code audited by CertiK. These were added post-audit by the attacker who used (or compromised) the private keys of contract’s proxy. Objectively, no audited smart contract code was exploited.

Related Stories
Post Mortem: Hector Network
Blogs
Incident Analysis
In light of the $2.7 million withdrawal incident from Hector Network's contract, we have gathered all the relevant information and are committed to maintaining transparency with the public.
1/17/2024
Post Mortem: Fintoch
Blogs
Incident Analysis
On May 5th, 2023, the Fintoch was rugpulled, leading to a loss of ~$31.6M.
1/8/2024
Post Mortem: Sushiswap
Blogs
Incident Analysis
On April 9th, 2023, the RouteProcessor2 in Sushiswap was exploited due to missing validation on the input with processRoute function. The total loss is around $ 3.3 M.
1/8/2024
CertiK Logo
SOC
© 2024 by CertiK. All Rights Reserved.
Products & Technology
Smart Contract AuditSkynetSecurity ScoreKYCPenetration TestingBug BountyFormal VerificationAdvisory ServicesSkyHarborSkyInsights
Company
AboutVenturesBlogCareersDisclaimerPrivacy PolicyCookie PolicyTerms and ConditionsTrust and Security
Social Media
CertiKSecurity LeaderboardCertiK AlertTelegramYoutube
MediumLinkedIn
Wechat
Discord
MediumLinkedIn
Wechat
Discord
© 2024 by CertiK. All Rights Reserved.
;