DODO, a crypto exchange with contracts on both Binance’s Smart Chain and Ethereum, has suffered a $2.1M hack.
The hacker attacked DODO’s Crowdpools, which the project launched in February as part of their version 2 (V2).
“On March 8, Several DODO V2 Crowdpools were attacked. WSZO, WCRES, ETHA, and FUSI pools were impacted, while AC pool funds have been fully recovered,” the team said on Twitter. “Funds in all other pools, including all V1 pools and all non-Crowdpool V2 pools, are safe.”
DODO said it is working closely with its security partner and experts to recover the funds and will “provide more information as soon as it becomes available.”
Luciano Orlando, founder of DeFi LATAM, told The Defiant that while he might be “missing some of the tech specs of the exploit… the core point is that the initialization function for those pools shouldn’t have been publicly accessible.”
This allowed the hacker to mint fake ERC-20 tokens for their DODO pool, reinitialize the WCRES/USDT pool and deposit the fake tokens inside, then remove the liquidity, according to Orlando.
In response, the DODO team has halted the pool creation portal on the exchange.DODO’s V2 docs Crowdpools function similarly to call auctions, the most successful of which had $25M of funds staked in the last three hours before the hack.