Decentral Bank fixes bug that let one user mint 10 trillion USN for just $10

Decentral Bank says it has fixed a smart contract bug that briefly caused about 10 trillion USN tokens to be minted, the stablecoin developer announced on Thursday. The team has burned the tokens and plans to reward the affected user with a bug bounty.

Decentral Bank is a decentralized autonomous organization (DAO) that is developing the USN stablecoin on the Near blockchain.

According to a security incident report shared with The Block, the bug was discovered when a user called “pavladiv.near” tried to swap 5 USN ($5) for 5 USD Tether (USDT) at 01:35 a.m. EDT on July 6. The user attempted the trade via the on-chain swap mechanism on Decentral Bank.

Yet there was an issue that didn't let swaps work if the wallet did not contain any USDT (despite it not being needed for the swap). As a result of this error, the swap failed.

The user tried the process twice and it failed on both occasions. Since the transaction did not go through, the USN smart contract attempted to refund them. This is where the actual bug happened.

The bug caused a misplacement of decimal points when refunding pavladiv.near’s USN. Instead of returning 4.9995 USN (about $5), the smart contract bug minted 4.9995 trillion USN for the user on both occasions, thus creating almost $10 trillion out of thin air.

Decentral Bank, upon noticing the minting bug, paused the contract and deployed a fix to prevent the incorrect decimal placement when refunding a failed swap. The team also burned the excess USN tokens minted by the bug, restoring the circulating supply of USN to its correct state.

If left unchecked, the bug could have been exploited to mint infinite USN. This could have led to a complete drain of the Ref Finance USDT liquidity pool. Ref Finance is a DeFi protocol on the Near network and is also one of Decentral Bank's backers and core contributors.

The USN developer says it is testing a fix for the failure of swaps by users with wallets that have never held USDT. Decentral Bank says users should hold a small portion of USDT when doing such swaps while it prepares to rollout the solution.

Today’s announcement also stated that no one was affected by the bug and that the user who discovered the issue will be rewarded with a bug bounty. The USN smart contract has also been unpaused since 08:27 a.m. EDT on July 6, Decentral Bank stated in its security report.

Decentral Bank recently paused the use of NEAR, the native coin of the Near ecosystem, for minting USN. This move came about following the collapse of TerraUSD (UST), which led to concerns that USN — which was originally designed in a similar way — could suffer the same fate. USDT is now the collateral backing for USN.