Twindex Post-Mortem — Following an incident on 2 OCT 2021
On October 2, 2021, our platform was exploited by a syndicate group of sophisticated hackers:
https://bscscan.com/tx/0x24180e59f48bb6291213c3960ad516c23701e9d501fd6105f4087789f0a8d74a
The attacks happened twice at 12 AM and 3 AM UTC for a total loss of approximately $538,109 worth of USD. These types of exploits are not uncommon in the DeFi world and have happened to other more mature companies. While the situation is similar, these malicious actors operate with similar unethical intentions.
We deeply apologize for the unexpected attacks that have taken place recently. We have acknowledged this and we are doing our best to regain trust in our platform. Immediately after it happened, we arranged an internal post-mortem meeting and investigated the root causes of the attacks. The following paragraphs describe the post-mortem analysis and our next actions to have your funds safe in our platform and to ensure that our platform will grow sustainably in the future.
Kindly note that this only affected the circulating supply of TWX tokens in the system and the sharp decrease in TWX price. All other areas, consisting of KUSD and tAssets pegging, and all liquidity pools, are not affected by these attacks.
After the investigation, we found out that this is a flash loan attack where the attacker borrowed a huge amount of tokens, performed several actions as described in the paragraph below, and returned the borrowed funds, all of which took place in one transaction. Their goal was to maximize profit by unethically leveraging their syndicate systems to leverage trade opportunities.
To explain, the attacker exploited the Oracle KUSD price feeder, which has an effect on smart contracts that are dependent on it — including the minting and redemption process for tAssets. The attacker used this to mint and redeem tXAU and get a lot more TWX at redemption compared to minting. The exploiter then sold TWX received.
We would like to express our sincere and deep apology to all investors for the incident. We have also been working with several parties to recover damages from such exploit and we are in a good light. Therefore, we demand the attacker to return the earnings as soon as possible. As our team was made aware of the incident, we immediately took prompt actions to stop subsequent attacks, including:
- Temporarily fixed the KUSD oracle price to $1 to prevent Oracle price manipulation. Note that this is not a permanent solution.
- Temporarily fixed the number of transfers of DOPX and TWX to 30,000 per transaction in order to make flash loans more improbable. This affects every transaction including swapping, providing or removing liquidity, as well as all minting, redemption, buyback, and re-collateralization.
- Buyback and re-collateralization are disabled and now whitelisted for the team only.
In an attempt to prevent similar attacks from happening, we are conducting the following measures to ensure the safety of your funds.
- We will work on a fix to make the KUSD Oracle price be correctly updated, and use the time-weighted average price as the reference.
- We will limit the addresses that could update the KUSD Oracle price to prevent Oracle price manipulation.
- To responsively control the supply of TWX to become healthy to our platform, we will manually adjust the Target Collateral Ratio (TCR) to 50% and double the multiplier for KUSD-tAssets pools. This should accelerate the burn rate of TWX and bring the circulating supply closer to prior to the incident.
- Twindex v2 contracts have already been under audit by CertiK and made sure all other vulnerabilities will be addressed. To further ensure safety, we are looking forward to submitting our code to other audit firms as well.
- We will purchase insurance for the platform and make sure there will be sufficient funds to reasonably compensate for the damage of future incidents.
Once again, we would like to express a heartfelt apology for what has happened today. We have learned a lot from this incident and we always bear in mind professional due care is the most important to achieve our goals, one of which is to protect the funds of the investors.
At the same time, the incident has brought us to the next level of assurance that our ecosystem has been well-designed and it still works on a going-concern basis because KUSD has not lost its peg despite that sharp price plunge due to such attacks. Moreover, all tAssets in the liquidity pools which had been in premiums or discounts, owing to such attacks, have been arbitraged by the traders in our platform, which is the mechanism we expected to be.
We would like to thank the support from the community that has always been helpful and understanding during this resilient time. We will keep you updated on future actions.
Dopple & Twindex Team