Arkadiko Swap Detailed Post Mortem

  1. Anyone can create a pair on Arkadiko Swap
  2. To create a pair, a user needs to provide two SIP10 tokens together with an LP token and an initial trading price.
  3. When adding a new pair, the contract did not correctly check that the LP token was a valid one to go with the pair. As a result, an attacker could provide an already existing LP token (in this case wstx-usda) which should not be associated with the new Token X and Token Y.
  4. Through step 3, the attacker minted a high amount of legit LP tokens on a bogus pair and immediately pulled their position again, draining STX & USDA.
  5. This resulted in the attacker receiving underlying assets from LP tokens that were minted at zero cost.
Line 189 is the source of the bug and what enabled the exploit

--

--

--

Arkadiko Protocol is a stablecoin (USDA) built on Stacks to bring DeFi to Bitcoin.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

The Convenience of XUM and XWM Mining

How hacking gave vision to the blind

Beta Version bBTC Tunnel Will Go Online On Nov. 1 (With A Bug Bounty)

Is Privacy Debt Derailing Your Company? How to Build for Data Protection

MitM — Man In The Middle Attack. Eavesdropping at its best.

The five key questions every finance organisation needs to be asking about cybersecurity

How the Encryption works

Uno Re — Hotcross Staking Program

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Arkadiko Protocol

Arkadiko Protocol

Arkadiko Protocol is a stablecoin (USDA) built on Stacks to bring DeFi to Bitcoin.

More from Medium

Launching BUSD Bridge to Aurora with Rose

Arkadiko <> Lydian Partnership (🤝,🤝)

Unlocking DeFi Potential on Aurora with Flappy Protocol

Algebra Weekly Report №20: 04/08