On Thursday (March 24), Cardano-powered decentralized exchange (DEX) Minswap announced that it had patched the “critical vulnerability that would allow someone to drain all the Liquidity in the Smart Contract.”
What is Minswap?
According to its white paper, Minswap is “an automated market-maker (AMM) decentralized exchange (DEX) on Cardano which supports multiple pricing functions for a single liquidity pool.”
This is an “elevator pitch” description of Minswap from the project’s FAQ guide:
“We aim to bring an innovative multi-model asset pool decentralized exchange to the Cardano blockchain. Minswap aims to be the best liquidity provider on the market by integrating the best asset pool models from across the DEX ecosystem into one protocol. The combination of stable pools, multi-asset pools, and concentrated liquidity will benefit both traders and liquidity providers. Our tokens are fairly distributed without any private or VC investment. This ensures our community of users are maximally rewarded, not speculators and insiders.“
The Minswap protocol has two types of tokens:
- MIN token: “The governance token of the protocol with future utility.”
- MINt token: “A token that can be converted to MIN through usage of the protocol.
Here are a few more facts about Minswap:
- “MIN tokens are distributed fairly to protocol participants and Liquidity Providers, who can participate in governance and vote democratically on protocol changes.“
- “Minswap is permissionless, meaning anybody can list tokens without needing KYC.“
- “Minswap supported SPOs through the FISO and plans to continue doing so with a community-oriented ADA delegation policy…“
- “Minswap will embrace Community Governance through a DAO, and introduce novel features such as gamification or profit sharing.“
As for token distribution, “78.5% of tokens will be distributed to the community, of which 70% are reserved to reward LPs.”
At present, Minswap “supports CCVault, Nami, Flint, Typhon and GeroWallet,” and it plans to add support for Yoroi in the future.
On March 19, Minswap announced that it had open-sourced its code:
Discovery and Patching of the Security Vulnerability
In a blog post published yesterday, the Minswap team wrote that three days after it open-sourced its smart contract code and audit report, i.e. on March 22, it was told about a critical vulnerability in its contracts. The team then “confirmed the vulnerability and successfully reproduced it on the private testnet.” The team then “decided to immediately censor all orders to prevent this vulnerability from being exploited, and start focusing on a solution.”
The critical vulnerability “consisted of the possibility to mint duplicated pool NFT tokens and use those NFT tokens to mint infinite LP tokens of any pool.”
The solution the Minswap team came up with was quite clever: they wrote a new smart contract that patches this vulnerability and they used the same vulnerability, which existed in the old smart contract, to move all liquidity to the new smart contract, so that “all users would retain their positions.” In other words, they acted like hackers to explot this vulnerability to “drain all liquidity, then create liquidity pools on the new contract and airdrop new LP tokens back to users based on a snapshot we had taken of their prior positions.”
The Minswap team pointed out that it “cannot migrate liquidity at its own will from one Smart Contract to another” and “liquidity was migrated to a new Smart Contract because a vulnerability was discovered that would allow this to happen, and it was migrated precisely to avoid this exploit from happening.” Since the vulnerability has now been patched, Now that the fix has been implemented, “it is no longer possible for the Minswap Team to unilaterally move liquidity.”
Furthermore, while the Minswap was dealing with the security upgrade, it was “notified of three additional, less severe vulnerabilities that could lead to misuses by the batcher or owner (aka admin) agents regarding pool parameters and datum manipulation.” These have been patched as well.
To enhance security in the short term, the Minswap team has for now made “new pool creation permissioned.” In Minswap DEX v2, they will transition “into a more decentralized and trustless model.” Another step that was taken to improve security was” immediately entering a continuous audit and code review process with a new top Haskell security firm.”
All user funds are safe. Minswap users “retain their positions from before we went into maintenance mode, including staked LP Tokens in Farms and accumulation of MIN rewards during that time for doing so.”
Disclaimer
The views and opinions expressed by the author, or any people mentioned in this article, are for informational purposes only, and they do not constitute financial, investment, or other advice. Investing in or trading cryptoassets comes with a risk of financial loss.