PAID Network exploiter nets $3 million in infinite mint attack

After an attack at one point worth nearly $180 million, community members are left wondering if the exploit is a “rugpull” or a security lapse.

Paid Network, a DeFi platform aimed at real-world businesses, has been exploited today in an “infinite mint” attack that has sent PAID token prices plunging upwards of 85%.

While the exploit netted nearly $180 million in PAID tokens at the time of the attack — what would have comfortably been the largest exploit of a DeFi protocol — the hacker’s payday will end up being far less. One observer noted that the attacker’s wallet only converted some of their tokens to wrapped ether, leaving the rest in rapidly-devaluing PAID tokens: 

https://twitter.com/vasa_develop/status/1367916592089161733?ref_src=twsrc%5Etfw” target=”_blank” rel=”nofollow noreferrer
https://platform.twitter.com/widgets.js

The attacker’s wallet still has over 57 million PAID tokens worth $37 million. 

The exploit is conceptually similar to an attack on insurance protocol Cover that took place in late December last year. In that instance, the team took a “snapshot” of holders prior to the attack and issued a new token, returning the supply of the token to pre-exploit levels.

The team confirmed on Twitter that they are currently planning for a snapshot and restoration:

https://twitter.com/paid_network/status/1367920257202061318?ref_src=twsrc%5Etfw” target=”_blank” rel=”nofollow noreferrer
https://platform.twitter.com/widgets.js

However, token holders anxious for a resolution may be out of luck. Some in the community are speculating that the attack on PAID wasn’t an exploit at all, but instead a “rugpull” — a colloquial term for an insider designing contracts to specifically make them exploitable and swiping user funds. 

Nick Chong of Parafi Capital noted on Twitter that Paid’s deployer contract, an externally controlled account, transferred ownership of the deployer to the attacker shortly before the mint, indicating that a member of the team either rugpulled, or errantly allowed the attack to take place with a security lapse:

https://twitter.com/n2ckchong/status/1367905499585282055?ref_src=twsrc%5Etfw” target=”_blank” rel=”nofollow noreferrer
https://platform.twitter.com/widgets.js

Additionally, a DeFi risk analysis account @WARONRUGS warned of exactly this exploit in late January, noting that the contract owner can mint PAID tokens at any time:

https://twitter.com/WARONRUGS/status/1353771974506459138?ref_src=twsrc%5Etfw” target=”_blank” rel=”nofollow noreferrer
https://platform.twitter.com/widgets.js

An on-chain note sent to the attacker has ominously warned that “the LAPD will be in contact with Kyle Chasse very shortly.” Kyle Chasse is the CEO of Paid Network.

Paid Network did not respond to a request for comment by the time of publication.