- Decurity experts have discovered a vulnerability in DxSale’s DeFi protocol’s DeFi smart contract. The potential damage from the hack is $5.2 million.
- The company contacted the site’s administration. She didn’t immediately believe she was dealing with auditors.
- Decurity was eventually offered a $500 reward. The company’s CEO said it had caused “disappointment”. Users have been warned to use caution when interacting with the platform.
Cybersecurity firm Decurity said it has discovered a vulnerability in the DxSale protocol with a potential $5.2 million in damages. The platform offered $500 as a reward, which the organization considered an “unexpected disappointment.”
“During our review, we came across an unverified smart contract at BSC. Despite the lack of source code, the address balance contained a significant amount of LP tokens on PancakeSwap,” the report stated.
The address in question was. Through decompilation, Decurity found that the contract allowed liquidity to be blocked in individual pools on DxSale.
But a vulnerability was discovered in it. The hacker could indefinitely unlock tokens in the contract due to a lack of proper verification.
There were a total of 21,600 wBNB in pools that interacted with the address, according to the report. This puts the possible damage from the smart contract hack at $5.2 million.
Platform response
“Once we verified everything, we reached out to DxSale on Telegram. They didn’t answer us for a long time, and then they didn’t believe we were auditors,” said the company’s CEO Omar Ganiev.
The vulnerability was eventually fixed by setting the blocking fee at a level that makes it impractical to attempt a hack. Decurity said the decision was inefficient, but their claim was not taken into account.
The platform’s administration eventually offered a $500 reward to the analysts. In the words of Decurity’s CEO, they’re glad they were able to protect users’ funds, but this approach to fixing vulnerabilities and the reported payout is “disappointing.”
We previously described a similar case. In September 2022, the hacker “riptide” prevented a massive hack of Arbitrum. For this, he received a reward of 400 ETH (about $587,000 at the time).
Before that, the platform administration offered a reward of up to $2 million for finding a critical bug. “Riptide” accused the Arbitrum team of cheating and said it was incidents like this that made “white hats” think twice about going into the illegal sector.
Be interesting