The decentralized finance exchange DODO announced Tuesday that attackers stole $3.8 million by exploiting bugs in DODO’s V2 Crowdpools smart contracts.
There were two seemingly independent agents in this attack, which is different from the typical solitary attacker seen in major exploits like Harvest Finance or KuCoin.
Ultimately, a total of $3.8 million was stolen from DODO. According to an update, the exchange recovered $1.89 million, comprised of about 1,140,000 USDT and 411 ETH, and plans to return the funds to affected parties.
The first actor, who DODO calls “Individual A,” essentially created counterfeit DODO tokens and exchanged them for real ones through the smart contract bug. After the hack, Individual A contacted prominent white-hat hacker @samszsun from Paradigm to help return the stolen funds to DODO. A white-hat hacker is someone who hacks a protocol to expose weaknesses and help strengthen the system rather than to merely gain a profit.
“Individual B,” who performed three exploits on the smart contract 10 minutes after Individual A, is a suspected bot based on their actions, such as using CHI gastokens, prefixing their contact address with numerous 0's, and setting unusually high gas prices. It is unclear whether Individual B will return funds to the decentralized exchange.
DODO, which had a total valuation of $50 million by last September, says trading and DODO-approved wallet addresses remain unaffected by the exploits.