On April 5, 2021, Polkatrain, a decentralized fundraising platform operating in the Polkadot ecosystem, suffered a rebate arbitrage attack resulting in the loss of $3 million.
The attack was detected by blockchain ecosystem security platform SlowMist, indicating that the hack targeted Polkatrain contract with swap functionality and rebate mechanism dubbed POLT_LB.
The analysis adds that the attackers took advantage of the flaws in the system’s update function.
In this case, when users purchase the Polkatrain native token PLOT, they are eligible for a certain amount of rebates. The system’s design sends the rebates through the transfer function, where the update function takes over.
SlowMist explains the flaws in the update function that the attackers explored. According to the cybersecurity company:
“Since the update function does not set the maximum amount of rebates in a pool, nor does it determine whether the total used up rebates, malicious arbitrageurs can continue to call the swap function to exchange tokens to get the contract,” SlowMist said.
Polkatrain confirms hack
Elsewhere, Polkatrain in a statement confirmed the incident stating that it will follow up in the coming days.
“Polkatrain team has identified and verified that the hacking incident is a malicious attack by hacker, he used the problem similar with slippage tolerance,” Polkatrain said.
The platform revealed that the name of the hacker has already been identified as Mr. Jiang.
Interestingly, Polkatrain did not specify the amount lost through the hack. Furthermore, the platform urged the hacker to return the stolen funds or risk arrest from authorities in China.
The attack contributes to the total cumulative funds lost in blockchain hacks, with SlowMist placing the total figure around $14.5 billion.