On July 6, 2022, the wallet address pavladiv.near triggered an error on the USN v2.0 smart contract, when the wallet tried to exchange $USN for $USDT twice but failed.
When the transaction fails, the smart contract will continue to refund the user $USN. However, the smart contract on the Decentral Bank platform mistakenly placed the decimal in both transactions returning 4,9995 USN, so the pavladiv.near wallet received a total of 2 times up to nearly 10 trillion USN.
This event was quickly noticed by the Decentral Bank team. Immediately, the $USN smart contract was halted and a fix was updated shortly thereafter.
Change in quantity of total supply USN
After discovering the incident, Decentral Bank had to stop the emergency protocols and fix the vulnerability. The project quickly burned the newly created USN to bring the total supply back to the old level of 114.16 million USD.
Source: https://decentral-bank.finance/swap
pavladiv.near interacted with the new $USN to $USDT swap on the Near network through the Decentral Bank website.
Details of 2 failed transactions:
- Transaction #1: https://explorer.near.org/transactions/78ZJRSEaWa9RzzwktMSide2RQ5Q6AzC9xJVfRQMoCMqH
- Transaction #2: https://explorer.near.org/transactions/FmezbevJTJzpYn6LarheeejsTGL6yuJ8KrhppMfddiEQ
The bug that caused the decimal conversion has been fixed and the smart contract has been updated, ensuring that hackers will no longer be able to take advantage of this vulnerability. This issue will be fixed as soon as possible and will be notified soon.
The project admits that if it is delayed, the above vulnerability can be exploited by hackers, which can lead to serious consequences on the Near ecosystem in general and the Ref Finance project – the main DEX exchange on the Near network.
