dYdX developers uncover a vulnerability in a ‘recently deployed smart contract’

The decentralized derivatives exchange dYdX warned of a vulnerability that was found in a ‘recently deployed smart contract’. The project team said that users’ funds are safe and the bug has been promptly fixed.

At 05:21 UTC today the dYdX team was alerted of a security issue with a newly deployed smart contract

❗If you have set allowance to deposit to https://t.co/1WbZbCpiuX since Wednesday 11/24 read for important recovery information❗

NO FUNDS WERE LOST AND ALL FUNDS ARE SAFE 🔒

— dYdX 🦔 (@dydxprotocol) November 27, 2021

It is likely the smart contract responsible for ‘gasless’ deposits of USD Coin (USDC) and swaps of certain ERC-20 tokens to USDC via the API of the 0x liquidity aggregator. The platform added this capability on November 24, after the incident access to it was temporarily restricted.

The bug was discovered by a white-hat hacker going by the handle Samczsun. The potential exploit affected 700 addresses holding tokens worth around $2 million. As part of the remediation process these assets were moved to an escrow contract address.

samczsun saves the day again pic.twitter.com/eozlcDnRZf

— banteg (@bantg) November 27, 2021

Only users who had authorised the platform to spend funds from their wallets after November 24 were affected. To recover assets from the escrow contract address, users must initiate the procedure from the relevant wallet.

Users affected by the incident, when visiting the platform, will see the corresponding notice. Funds can be recovered at any time.

Am i safe?
Paid 20$ for unset USDC. pic.twitter.com/1SEs9GvwX9

— Yekta. (@yekovski) November 27, 2021

The project team promised to publish full details of the incident once affected users recover their funds.

In September, dYdX developers discovered a bug in the staking-pool smart contract for the DYDX governance token.

Follow ForkLog news on Facebook!