PAID Network took place on Polkastarter’s platform not long ago and brought enormous returns to private sale investors. It is going through what seems like a massive attack despite the smart contract being audited by CERTIK.
It seems that over 59 million PAID tokens were minted and sold through Uniswap. This resulted that the token’s price is currently trading at about $0.32, representing a 24-hour decline of more than 88%.
The price of PAID was trading at roughly $3 per token before the price plunge, giving the minted tokens a value of about $159.3 million at the time of their creation. The price did not recover up to now.
It is quite obvious that smart contract platforms are very early. Since we experience exploits almost every week, this industry needs more development to become more secure.
The team has come up with an official statement today from CEO Kyle Chasse.
The attacker used a compromised private key to the original contract deployer to leverage the upgrade function of the smart contract. The attacker then proceeded to upgrade to a new smart contract which had the ability to burn and re-mint tokens.
With the upgraded smart contract, the attacker then minted 59,471,745.571 PAID tokens which they then proceeded to sell. 2,501,203 $PAID tokens on Uniswap were sold for a total of 2,040.4339 ETH before the attack was discovered at 20:17 UTC+2.
To prevent any further damage by the attacker, PAID Network is relaunching its token to wipe the attacker from the ledger of token holders, moving control of the new token contract to a multi-sig, and securing comprehensive security and process audits to ensure we are never again vulnerable to this kind of attack or others.
The attack’s root cause was a combination of two vulnerabilities: a leaked private key and a failure in key management processes. Our code was not compromised, and we maintain faith in our CertiK audit
The first failure was a private key leak. We have identified the cause of the private key leak and have mitigated it. Because we have not fully resolved the situation with the responsible party, we are not disclosing details on how the private key was leaked at this time. As far as we can tell, it was not a malicious leak, and we have no reason to think that it was.
The second failure was a key management failure. The compromised private key provided access to the PAID token contract. It was used to modify the token contract to allow the attacker to burn maliciously and then re-mint PAID tokens.
source: www.cryptopotato.com, Official Paid Statement