Paid Network, a DeFi platform geared toward real world companies, continues to be manipulated now in that an “infinite mint” attack that’s delivered PAID token costs plunging up of 85 percent.
Though the tap netted almost $180 million in PAID tokens at the right time of this attack — that which could have been the largest tap of a DeFi protocol — that the hacker’s money is going to wind up being less. 1 observer said that the attacker’s pocket just converted a few of the tokens to wrapped ether, leaving the remainder in rapidly-devaluing PAID tokens:
Overview of $PAID episode:
Complete PAID swapped to WETH: 2079.603371141493
Complete PAID abandoned in accounts: 594,717,455.71
Total sum in cheque accounts = 27,418,034.33
Stay Safe. pic.twitter.com/Lz93qGKAq0
— vasa (@vasa_develop) March 5, 2021
The attacker’s pocket nevertheless has over 57 million PAID tokens worth $37 million.
The tap is similar to a attack on motor insurance plan Cover that happened in late December this past year. In that case, the group took a “snapshot” of holders before this attack and issued a fresh token, returning the source of this token into pre-exploit levels.
The group supported on Twitter which they’re planning to get a photo and recovery:
We’re exploring the situation. We pulled money, are developing a brand new smart deal, & will probably be assigning everybody’s first balances to prior to the hack.
People who have staked, Lpool & UniFarm $PAID will have their sanity be shipped to those manually.
We can share more updates shortly
— PAID NETWORK (@paid_network) March 5, 2021
But token holders worried to get a settlement might be out of luck. A few in that the neighborhood are thinking the attack on PAID was not an exploit in any way, but rather a “rugpull” — a colloquial term for the insider design contracts to specially make them exploitable and swiping consumer funds.
Nick Chong of all Parafi Capital mentioned on Twitter that Ms’s deployer contract, the externally controlled accounts, transferred possession of the deployer into the attacker soon before the mint, suggesting that a part of this group rugpulled, or even errantly permitted the attack to occur using a safety lapse:
Paid Network’s deployer, an EOA, moved possession of a contract into the attacker 30 mins prior to the minthttps://t.co/h14GdV4fCf
— Nick Chong (@n2ckchong) March 5, 2021
Also a DeFi hazard identification accounts @WARONRUGS warned of precisely this tap in overdue January, imagining that the contract operator could mint PAID tokens anytime:
❌ Scam Advisory Number 86- PAID Network $PAID (0x8c8687fC965593DFb2F0b4EAeFD55E9D8df348df)
Rationale: The proprietor could mint parts and failed mint components to new wallets who never purchased the presale. Deal is behind a proxyserver.
Likeliness of shedding all funds: Really Top
— #WARONRUGS❌ (@WARONRUGS) January 25, 2021
An on-chain note delivered to the attacker contains ominously cautioned that “the LAPD will be in contact with Kyle Chasse very shortly.” Kyle Chasse is actually the CEO of Complimentary Network.
Paid Network didn’t respond to your request for comment by the time of publication.