We are on the front line of the Tezos development, and we are building the DeFi Tezos ecosystem from scratch. This task is more complex than work with BSC or Ethereum, where all solutions were tested by the time and different hacking attacks. Being a pioneer is not always easy, and sometimes unforeseen challenges arise. However, we are proud that we are here.
What happened?
Friday and Saturday were not easy for our team. On the 22 of May, we faced the problem.
Some people have found a way to manipulate certain small pools on the current version of QuipuSwap.
Under specific pool conditions, there’s a way to manipulate the investLiquidity entrypoint by investing the amount of XTZ, which is equal to 1.9999 of the lowest token unit (let’s call it satoshi). The QuipuSwap math operations round down (floors) such value to 1 satoshi and the actual amount invested becomes less than it should be. By exploiting this flaw, one can make a series of such investLiquidity and then withdraw more XTZ/tokens than initially invested.
These manipulations were possible to conduct only with pools that have an enormous token price and/or 0 decimals for tokens with a low number of pooled tokens compared to pooled XTZ (such as HEN-minted NFT token pools).
Currently, potentially affected pools are the following:
GUTS, wTACO, and several other pools involving NFTs. This manipulation is impossible to conduct with large pools or whitelisted pools.
What are we going to do?
- We will block a possibility to create pools with tokens that have 0 decimals on our front-end.
- Will add an alert on the front-end that some pools have risks of being attacked, and by creating these pools you may lose your money.
- We will block a possibility to add liquidity to the old pools that have this vulnerability. Liquidity providers may withdraw their liquidity and move it to a new pool after new contracts launch.
Important:
This week, we will deploy updated contracts with the fix for this issue. So, any new pool will be created on the updated contracts. On the UI side, users will be able to interact with both old and new contracts. Swaps will be conducted on pools with more considerable liquidity. We will try to create a smooth transition for our users on a newer version of QuipuSwap and make it as easy as possible.
What’s next?
We promise your work and faith in us will not go unnoticed. We are working on how to reduce the inconvenience of early adopters and reward them for their loyalty. Follow us!
We want to thank members of our community who raised our attention and helped us detect the bug and, especially from Telegram @xtz_guts, @BouncingDeadCat, traders from the group @QuipTalk Guys, you are great!