On February 14th, developers of the MINER token, based on the experimental ERC-X standard, reported an exploit of their smart contract leading to a loss of funds.
We are getting the exploit looked into by an expert onchain sleuth to make sense of what has happened.
Some other contracts — notably DN404 — are also getting exploited as we speak.
Again, please do not buy $MINER right now.
— Miner (@minerercx) February 14, 2024
At the time of writing, the attack is ongoing. The team claims to have extracted about 130 ETH (~$360,000) in liquidity.
They noted that several other contracts, particularly DN-404, have faced similar breaches.
Subsequently, DN-404 developers denied being affected by the incident.
This is false news — we have multiple unit tests and invariant tests to verify that self transferring can’t be exploited.
DN404 is not affected by this. pic.twitter.com/1ODeA4WCTw
— cygaar (@0xCygaar) February 14, 2024
MINER developers strongly advised users to refrain from purchasing the token until the issue is resolved.
Cyvers Alerts analysts also reported malicious transactions within the MINER protocol. According to their data, losses currently amount to approximately $460,000.
?ALER?Our system has detected multiple malicious transactions with @minerercx!
Total loss seem to be around $460K so far. But attack is still ongoing!
Attacker seem to be same as XAI Token Exploiter!
As there is no direct communication with team.
Please do reach to us for… pic.twitter.com/AXRhghMiQT— ? Cyvers Alerts ? (@CyversAlerts) February 14, 2024
In the past hour, the price of MINER has plummeted by more than 60%, according to GeckoTerminal. The token is currently trading at $8.
MINER’s internal investigation revealed that the breach was due to a double-counting error in an internal transfer function. This allowed the attacker to repeatedly send tokens to themselves, doubling their balance with each iteration. The tokens were then sold on Uniswap.
1/ Our analysis of the exploit ?
Based on our analysis the _update function was exploited.
The root cause is if you transferred tokens to yourself then your balance would be doubled as the contract used the cached value toBalance.https://t.co/6dXniOIGNU pic.twitter.com/KfyScdwnuF
— Miner (@minerercx) February 14, 2024
Developers promised to resolve the issue before redeploying the contract. A snapshot of current holders will be taken prior to the attack.
According to the latest data, the damage amounted to 156 ETH.
The hacker was offered a 30% bounty of the stolen funds ($120,000) for their return. If they refuse, a similar amount will be offered to anyone who helps identify the perpetrator.
MINER is a collection of 100,000 avatars linked to the first tokens created using the experimental ERC-X standard. It combines features of ERC-20 assets, ERC-404, ERC-721, ERC-721A, ERC-721Psi, ERC-1155, and ERC-1155Delta.
Previously, ForkLog reported that the crypto casino Duelbits lost $4.6 million due to a hack.