Paid Network, a DeFi platform aimed at real-world businesses, has been exploited today in an “infinite mint” attack that has sent PAID token prices plunging upwards of 85%.
While the exploit netted nearly $180 million in PAID tokens at the time of the attack — what would have comfortably been the largest exploit of a DeFi protocol — the hacker’s payday will end up being far less. One observer noted that the attacker’s wallet only converted some of their tokens to wrapped ether, leaving the rest in rapidly-devaluing PAID tokens:
Summary of $PAID incident:
Total PAID swapped to WETH: 2079.603371141493
Total PAID left in account: 594,717,455.71
Total amount in attacker account = $27,418,034.33
Stay Safe. pic.twitter.com/Lz93qGKAq0
— vasa (@vasa_develop) March 5, 2021
The attacker’s wallet still has over 57 million PAID tokens worth $37 million.
The exploit is conceptually similar to an attack on insurance protocol Cover that took place in late December last year. In that instance, the team took a “snapshot” of holders prior to the attack and issued a new token, returning the supply of the token to pre-exploit levels.
The team confirmed on Twitter that they are currently planning for a snapshot and restoration:
We are investigating the issue. We pulled liquidity, are creating a new smart contract, & will be restoring everyone’s original balances to before the hack.
Those with staked, Lpool & UniFarm $PAID will have their tokens be sent to them manually.
We will share more updates soon
— PAID NETWORK (@paid_network) March 5, 2021
However, token holders anxious for a resolution may be out of luck. Some in the community are speculating that the attack on PAID wasn’t an exploit at all, but instead a “rugpull” — a colloquial term for an insider designing contracts to specifically make them exploitable and swiping user funds.
Nick Chong of Parafi Capital noted on Twitter that Paid’s deployer contract, an externally…