DeFi project Ede Finance admitted that it made a decision to manipulate prices, after the protocol was exploited for around $580,000.
The attacker who exploited it claimed they were a white hat — acting for good – and that they were trying to expose how the Arbitrum-based project worked, according to security analysts PeckShield. They claimed — in messages sent over the blockchain — that the project's core team had a backdoor that allowed them to liquidate any user's trade on the supposedly decentralized protocol. They said this activity involved using fake prices and claimed the intention was to steal user funds.
The attacker said that if the developers admit to this practice, they would return the funds minus a 10% bounty for themselves. They also mentioned there were additional vulnerabilities.
The Ede Finance developers replied, "Yes we acknowledge making an ill-advised decision to manipulate the price. However our intention was to blacklist those who had previously exploited the system, fully aware that all transactions are recorded on the blockchain. We did not aim to misappropriate users funds as this would leave a traceable record."
The team then said it would remove the smart contract that enables this behavior. They also said they would agree to the terms of the bounty and said they would use their own funds to cover the shortfall. The team offered the exploiter 5% of the team's token allocation — subject to vesting periods — for pointing them the other vulnerabilities out.
Ede Finance speaks out
Speaking to The Block, Ede Finance said it is not accurate that it can update or liquidate users' positions but claimed the hacker exploited a flaw in its price oracles.
"From a technical standpoint, it is correct that the price feed contracts can be updated through the EDE oracle bot, which is controlled by the team's multi-signature wallet. However, it's important to emphasize that any such updates would be recorded on the blockchain, leaving a traceable record. Given this transparency, it would be illogical for us to engage in price manipulation," the team said.
The team further claimed the hacker did not voluntarily stop the exploit but was prevented from further attacks by the team.
"If the attacker considers himself a white hat, we urge him to return more funds. He is welcome to retain the 10% exploit fund from ELP-1 and the $90K from the ELP-3 fund. However, claiming more than that demonstrates greed and an attempt to use the label of a white hat to evade responsibility. It is evident that he has left traces behind," it said.
PeckShield also noted that while the project had been audited, the length of the audit was just three days.
The project's native token has fallen from $2.43 to $1.18 over the last 24 hours, down 51%.
© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.