The value of SafeDollar (SDO), an algorithmic stablecoin intended to be pegged to $1, has dropped to zero after a $248K exploit on Polygon.
In a post-mortem analysis published on June 28, SafeDollar reported it had lost $202K of USDC and $46K of USDT as a result of an attack on one of its pools for the deflationary PlexCoin (PLX) token, which burns 0.15% every time a user deposits into the pool. By providing liquidity to the pool, users could farm SDO rewards which, like other stablecoins, were intended to be safer and less volatile than the majority of crypto tokens.
Infinite Mint Exploit
The exploit happened in the PLX version 1 pool. SushiSwap core developer and security researcher Mudit Gupta took to Twitter to explain what happened. Gupta wrote, under ideal circumstances, any associated burn fees would be paid by the user upon withdrawing their tokens from a reward pool. But due to a bug, every withdrawal burned PLX in SafeDollar’s pool, which allowed the attacker to deplete the pool’s PLX supply by repeatedly depositing and withdrawing tokens in a loop. Then once the pool’s PLX balance was low enough, the attacker could take advantage of the artificially increased SDO reward rates due to the reward being calculated based on the pool’s total holdings.
Gupta called this an “infinite mint exploit.”
Through this method, the attacker claimed $250K in SDO rewards, which they immediately dumped for USDC and USDT through SafeCoin’s USDC/USDT liquidity pools. And everyone else who held SafeDollar was left holding a bag with a broken stablecoin.
SafeDollar said it will announce compensation and a future plan in another article, but there’s a good chance the SDO token will never recover. Oftentimes, it only takes one exploit for a stablecoin to topple completely. With so many other protocol options on the market, users typically take their capital elsewhere as soon as trust erodes. After all, if a stablecoin can be exploited, then it loses its entire purpose.
This is the second Polygon-based stablecoin to topple following an exploit in the past couple weeks. On June 16, Iron Finance flopped after a massive bank run, whereby users exploited the protocol’s two-token system (the IRON stablecoin pegged to $1 and the TITAN collateral token). Users first farmed endless TITAN tokens and then flooded the market with them, causing the IRON stablecoin to drop to a low of $0.58.
The SafeDollar crash serves as yet another cautionary tale for anyone investing in stablecoins to make sure their token of choice really is…well, stable.