PAID network - Infinite mint attack? Or rug pull?

On Friday 5th March, a sudden and significant drop in PAID price was picked up by the community. PAID was being attacked - or so it was thought.

For reasons unknown, the attacker had possession of the private key to the original contract deployer. The attacker carried out an infinite mint attack and a total of 59 million $PAID tokens / net of $180 million was transferred to the attacker's account. This would have been the largest attack in DeFi history to date, however, only some tokens were converted to wrapped Ether - and the remainder had rapidly declined in value, therefore the total lost was around £37 million. The infinite mint attack caused $PAID's value to drop significantly by 85%. which took the price from $2.86 to $0.32.

The attack has been likened to the Cover attack which we wrote about recently.

An examination of the attack

The attack was caused by 2 vulnerabilities - a leaked private key and a failure in key management processes. The details around how the private key was leaked remains unknown.

The attacker used the private key to access the original contract deployer and transfer ownership, before upgrading the smart contract to a new contract, which had the ability to burn and re-mint tokens.

The tokens were burned first because the maximum supply had already been reached. The re-minted tokens were subsequently transferred to an address controlled by the attacker. After 20 minutes of selling the tokens on Uniswap for ETH, the PAID team pulled liquidity from Uniswap in order to mitigate the damage. By this point, the attacker had sold 2,501,203 $PAID tokens on Uniswap for a total of 2,040.4339 ETH.

Hack? Or Rug Pull?

To prevent further damage, the PAID Network is relaunching its token to wipe the attacker from the ledger of token holders, moving the control of the new token contract to a multisig, and securing security and process audits.

However, PAID’s deployer contract, an externally controlled account, transferred ownership of the deployer to the attacker 30 minutes before the mint.

War on Rugs, a community which raises the alarm on potentially vulnerable contracts of this kind, raised the alarm back in January.

This begs the question - was PAID network exploited? Or was it an inside job?