WatchPug

Those who cannot learn from history are doomed to repeat it.

The Exploit

At around 3:48 AM UTC on Jun 28, a hacker managed to mint a huge amount of SDO (an algo stablecoin on Polygon) and dumped them into the market.

How many?

831,309,277,244,108,000 SDO

That’s a lot.

As a result, the hacker has taken out 202k USDC and 46k USDT. …

How does Impossible Finance make the impossible possible?

The Exploit

At around 4:40 AM UTC on Jun 21, $0.5M (229.84 ETH) was stolen from Impossible Finance.

2 swaps at about the same price, which is usually “impossible”

Using a vulnerability in the LP contract, the hacker managed to swap IF into BUSD at about the price 2 times in a row, which is usually “Impossible” because of the slippage.

As a…

Fool me once, shame on you. Fool me twice, shame on me. Fool me three times, shame on both of us.

Disclosures: Merlin Lab has engaged WatchPug to perform the 4th audit on their updated security code.

The Exploit

On May 26, 2021, 03:59:05 AM +UTC, less than 48 hrs after the Autoshark hack. Merlin Lab, well, another Bunny fork, been attacked in a similar fashion to the Bunny and the Autoshark hack.

WatchPug

Pug against Rug

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store