Synapse is an automatic market-making platform similar to Uniswap, but also contains a bridge that moves tokens across blockchains. It aims to be a decentralized finance platform that replaces banks and provides interoperability between different blockchains. It was just announced on Twitter that Synapse has been hacked for up to $8m in stablecoin.
Automatic market-makers (AMM) use liquidity pools and algorithms to make exchanges decentralized. Users will provide tokens for both sides of a potential trade for a return on investment. While providing liquidity, tokens are locked on the smart contract and must be withdrawn to gain access to them again.
On 8 November, a user was able to manipulate the price of one of the stablecoins used on the AMM. It then used the altered price to drain one of the liquidity pools for over $8m. While the postmortem of the hack has not come out yet, many on Twitter have looked into the transactions and come to their own conclusions.
The hacker found a loophole in the contract that allowed them to add USDC to a liquidity pool, they then removed it as nUSD and swapped the nUSD to USDC – repeating the process multiple times.
AMMs use a math formula to calculate the price of a token. The price changes depending on how much was purchased or sold. The AMM did not account for the nUSD being created from an alternate source, in this case, removing liquidity from a USDC pool. Doing so caused the price of nUSD to change and was used to drain funds out of the liquidity pools.
Luckily for the users, the hacker was caught quickly as they were trying to remove the funds from the platform. The funds are now frozen and the hacker does not have access.
The developers say they will not validate removing the funds as the activity was fraudulent, and will instead recover the user's loss.
While no one will lose money in this exploit, it is a harsh reminder that newer and more complex decentralized finance platforms are targets for hackers.
If a platform has not stood the test of time it is always wise to only allocate a small number of your funds to the platform to avoid a serious loss if their smart contracts are bugged.