Synthetix $1 Billion Exploit

June 25th 2019

In what amounts to a particularly heart-warming example of the power – and responsibilities – of decentralization, Synthetix founder Kain Warwick announced that an error that netted one legitimate user over $1 billion in profit has been fixed and that the user rolled back all the transactions in exchange for a bug bounty. Definitely a rough day, but I am proud of our team and community in handling this issue. No funds were lost, the owner of the bot who exploited the issue agreed to reverse the trades.

— kainwarwick.eth (@kaiynne) June 25, 2019

The error occurred when a commercial API began reporting wildly high prices for the Korean Won.

“Our price oracle has a mechanism for discarding outliers and should have absorbed this discrepancy gracefully, unfortunately the price feed for KRW was only being served by two API’s at that time due to an earlier unrelated outage which had not been caught by our exception reporting,” wrote Warwick.

From the report:

There are currently a number of trading bots actively trading on using different strategies, one of these bots was able to detect this price error and exploit it to trade into and out of sKRW during the window where the API was incorrectly reporting the price. This resulted in several trades with profits of 1000x, resulting in over $1b in profit in less than an hour.

Luckily the bot owner understood their preposterous position and agreed to send the crypto back, a noble and/or important part of growing ecosystems like this one.

“No funds were lost, the owner of the bot who exploited the issue agreed to reverse the trades,” Warwick said. “He was unaware of the issue (his bot was fully automated) until after the news broke. He reached out on Reddit once he knew and we negotiated a bounty for reversing he trades. His goal was to build a profitable bot and he wanted to make sure the profit he had made up to that point, about 30k, was safe. So we paid him a bounty for reversing the trade, since his bot was the only one that was able to exploit the oracle defect.”

Original source of article -

Last updated