The Cover Protocol is a decentralized coverage market that offers peer-to-peer coverage on various DeFi protocols since November.
They are running a shield mining program that incentivized users to provide liquidity to the coverage market where users can earn $COVER tokens, the governance token of the platform.
Infinite Minting Bug
On 28 December 2020, Cover protocol’s shield mining contract was abused. Exploiters were able to mint more than 40 quadrillions of $COVER tokens by taking advantage of an infinite minting bug in the contract.
The price of the token dropped 77% within an hour of the exploit, according to a report from CoinMarketCap.
A preliminary post-mortem conducted by Peckshield, a leading blockchain security company, suggested that the contract miscalculated the reward amount for users who staked their LP tokens. Sorawit Suriyakarn, the CTO of Band Protocol, believed this was likely due to the misuse of memory and storage in the Solidity source code that amplified the amount minted.
This miscalculation could be triggered by staking and subsequently withdrawing their LP tokens. This incident was very different from other DeFi hacks that involved price oracle manipulation and flashloan attack.
The Justice League in DeFi
After seeing the bat signal, all available devs from Yearn Ecosystem came together to help and support $COVER team.
The Justice League exists. They don't fly, they code 👨💻
If you want to go fast, go alone. If you want to go far, go together 🚀 https://t.co/MVNrvo6wc3
— Facu ⟠ fameal.eth (@fameal) December 28, 2020
A white-hat exploiter was able to leverage the loophole and drain 4,350 Ether from liquidity pools on Uniswap and Sushiswap, then subsequently return the gain to the team. This act prevented other malicious actors from extracting further profits from those pools.
The incident happened at a time where most team members were asleep, according to DeFi Ted, one of the team members. Fortunately, Leo Cheng from Yearn reached out and immediately set up a “war room” to counter any further exploits.
Devs were asleep only I was around, not a dev, and @leokcheng reached out and setup the war room to counter any further issues.
They had given me the instructions to ensure that the mint could not continue and was implemented as soon as enough signers for our multisig.
— DeFi Ted (Bakes) (@DeFi_Ted) December 29, 2020
Shortly after the team was notified, they swiftly disabled the token minting functionality such that there would be no further exploits. They also issued an official statement advising liquidity providers to remove liquidity and users not to buy $COVER tokens from the open market to alleviate further losses.
The team is still investigating the current incident. The exploit is no longer possible.
The exploit is no longer possible. Please do NOT buy $COVER tokens, and remove your liquidity from the COVER/ETH pool on sushiswap.
CLAIM/NOCLAIM balancer pools are unaffected
— Cover Protocol (@CoverProtocol) December 28, 2020
Binance also suspended $COVER trading and deposits at 12:40 pm UTC, and is currently working with the team closely to find a solution that compensates the affected exchange users. On the other hand, all available developers from the Yearn ecosystem have come together and actively assist the Cover team in conducting a thorough investigation.
According to a closed source, they include well-known Solidity developers such as Emiliano Bonassi , Banteg , Vasa , Leo Cheng , andy8052 , @fameal , 0xMaki, etc., as well as every member of the Cover team. Together with CZ’s full support , They formed a CeFi and DeFi Justice League to conduct an investigation and come up with a mitigation plan.
— CZ Binance (@cz_binance) December 28, 2020
Here is a collective work from RektOpSec 💪 @emilianobonassi @bantg @leokcheng @arbingsam @x48_crypto @milkyklim @bneiluj @RektHQ @fameal @doug_molinam @andy8052 @dudesahn @CoverProtocol team and others (sry if I missed someone)
The report is still WIP.https://t.co/7GgmYovcTc
— vasa (@vasa_develop) December 29, 2020
They also receive wide support from big players across the DeFi space, including Sushiswap developer 0xMaki.
I have been there and it is one of the scariest place to be in.
I was asleep during Cover hack but happy to see we can rely on so many people inside our ecosystem now to help.
We will do everything to help Cover comeback from this at Sushi. https://t.co/dtBIUTsUz7
— 0xMaki 源 義経 (@0xMaki) December 29, 2020
The Next Step
The overall loss in this incident was relatively limited compared to other DeFi exploits. The Cover protocol remains largely unaffected, with only the governance token being compromised. Coverage seekers can still purchase coverage tokens on the open market. Version 2 of the protocol is on track to be launched in Q1 2021.
They are currently exploring ways to restore the governance component of the protocol. They would be providing a new token through a snapshot right before the exploit to compensate token holders and liquidity providers who were affected by the exploit. Ether secured by the white-hat exploiter would also be returned to liquidity providers.
This zero-day exploit demonstrates how the DeFi community can come together in no time and collaborate to help contain a crisis and make DeFi a better place. Thanks to the help of other developers, the team can move swiftly to compensate the affected users.
Spanish Banks Ready to Offer Crypto Services; Await Central Bank Directive
Solana is Rock-Solid, SOL Traders Bank on Macros for a Rally above $220
Polkadot Upsides Better than Bitcoin’s, DOT to $80 for a 55% Surge?
Invesco Withdraws Its Application for a Bitcoin (BTC) Futures ETF
Chainlink Inside a Bull Flag, LINK Traders Expect a Swing Back to $54
Top Cryptocurrencies That Lead Charts During the Summer Bull Run
Senator Ted Cruz Says Texas Should Use Wasted Natural Gas to Mine BTC
Bitcoin Price Ready for Takeoff to New ATH as Market Cap Surges Past $1T
Sri Lanka Creates a Panel to Study the Blockchain and Crypto Mining
Is WAX (WAXP) a Good Investment?
Jerome Powell Says the Federal Reserve Will Not Ban Crypto Like China
Exciting Crypto Projects to Watch in October 2021
Learn12 months ago
Is Polkadot (DOT) A Good Investment?
News12 months ago
How Will Bitcoin React if Either Trump or Biden Wins?
Learn11 months ago
Yearn Finance Explained: A Simplified Guide to YFI
Price Analysis11 months ago
Bitcoin Price Prediction: China FUD, Path back to $13k or $20k?
Learn11 months ago
Is Chainlink (LINK) A Good Investment?
Price Analysis11 months ago
How The “Easiest Bitcoin Short of Our Lives” Turned Sour