Cover Protocol attack enabled exploiters to infinitely mint tokens

In December, Cover was another protocol that suffered an attack, following the line of exploits in 2020.

The attack on Cover's shield mining contract resulted in a loss of $COVER tokens amounting to approximately $6.2 million.

The attackers exploited a bug which allowed users to infinitely mint tokens and allowed the contract to mint more rewards to miners. This caused to total supply of tokens to increase by 48 quadrillion percent. The direct cause of the attack was due to the pools being updated only in memory, which does not update the pools in storage.

An examination of an exploiter's timeline

Several exploits were carried out. We have taken a look at one of these events.

The exploiter made a transaction and deposited 1,326,880 BPT to the contract. The exploiter then withdrew the funds, which exploited the contract for 703.64 $COVER, and withdrew 1,326,878.99 BPT.

He / she proceeded to sell the Cover tokens, before continuing to mint and exploit the bug, allowing them to mint infinitely.

Grap Finance, one of the six addresses to exploit the bug, presented themselves as a 'White Hat" by selling the minted COVER tokens for ETH, before returning it to Cover.

Cover have taken steps to mitigate

Cover attempted to resolve the issue by updating the pool before a deposit and implementing a cron job to run every 20 minutes to update any pools that hadn't been updated.

A compensation plan has also been set up to distribute a new token and return user funds totaling 4351 ETH.