SafeDollar Post-Mortem Analysis
SafeDollar was recently the subject of an exploit that resulted in a loss of 202,230 USDC and 46k USDT
The protocol itself is working fine. Only the PLX version 1 pool had an issue and caused the exploit. Following is the technical analysis of the event.
The attack happened on Jun-28–2021 03:48:36 AM +UTC. The hacker performed the attack from wallet https://polygonscan.com/address/0xfedc2487ed4bb740a268c565dacdd39c17be7ebd with the tx
from where he draw 16,626,185,544,882 and drain the liquidity pool to withdraw out 202,230 USDC and 46k USDT
Since PLX is a deflation token, everytime user deposits to the pool 0.15% of the amount will be burnt. The hacker kept deposit and withdrawing from the pool, so the PLX balance of the pool (lpSupply) was decreasing and became very small (https://polygonscan.com/tx/0xd78ff27f33576ff7ece3a58943f3e74caaa9321bcc3238e4cf014eca2e89ce3f)
accSdoPerShare = accSdoPerShare.add(_sdoReward.mul(1e18).div(lpSupply));
accSdoPerShare became very big, he harvested that insanely big amount of pending SDO reward and dumped it into the liquidity pools.
We are finalizing and will announce the Compensation and move Forward Plan in a separate article.
We hope this would give a transparent response to the Safe Dollar community.
Thank you for your understanding and support of SafeDollar.