A letter to the community
A bug on the DevLock contract was found (spoiler, funds are safu)
As you guys know, we’ve been very busy during the last month getting everything ready to launch PADSwap.
As a part of the launch process we’ve been stress testing all of our code and while so we found a bug in the Devlock contract that allowed the owners of the contract to remove any amount of TOAD they wanted from the contract.
But before we start we would like to ensure you that no TOAD’s were ever at risk, as only team members were allowed to call those function on the contract.
With that said, as part of TOAD.Network’s emphasis on total transparency, here are the full details on this specific bug and how we managed to fix it.
What was this bug and how was this possible?
What happened was that the Dev Lock contract was based on the TOAD only farm contract, and a line of code that sends the TOAD back to the person who is removing their stake from the farm was left in a function that removes the dev shares from the Dev Lock.
As the owners of the contract, we have the ability to add and remove shares from any address we want. Those shares control the percentage each developer receives from the daily drip.
This created a loophole. As the team was able to add how many shares they wanted without depositing any TOAD, but they would receive that amount of shares in TOAD when removing them from an address.
After discovering that we decided to use this exploit to remove all TOAD from the contract and move them to a new, fixed, version.
The transaction records are listed below so that anyone can verify what was done by the team. Also, if you want to know more specifics about the bug see the full breakdown at the very end of the letter.
Transaction records
1. Added 13,750 shares to an address we control
2. Removed those shares, making the contract send 13,750 TOAD to that address
3. The TOAD we removed was added to a new and patched smart contract
An apology from ToadGuy
As you guys know, I love this community more than anything and although this mistake did not put any TOADS in danger, I’m really disappointed that I let this slip. And I’m willing to take full responsibility for what happened here. I know this is not acceptable and we will work diligently to make sure we wont repeat those same errors in the future. In response to that we have already implemented new security and testing measures and any new contracts will face a full series of audits before deployment.
With that said, we are grateful that we were able to find, correct, and learn from this mistake. We appreciate that this is a community in which we can be fully upfront about not only our successes but also our shortcomings.
A full breakdown on the Dev Lock contract and this exploit.
For you to understand how this exploit worked, you first need to understand how the DevLock smart contract works.
In short, the DevLock is pretty similar to a regular TOAD farm. It has a pool that drips 1% of its value every day split among all everyone that has a share of the pool. But on this case, instead of stacking TOAD to earn a share of the pool, the contract owners can add dev shares to any address they want. The contract was built this way in order to allow the team to add new developers to the contract if they wanted to. As you can see, the DevLock contract is basically a clone of the Farm contract, with the difference being that only owners can add/remove shares and that they don’t need to deposit TOAD in the contract in order to get a % of the pool.
The problem was that while developing this contract, which was based on the Farm contract. I, ToadGuy, forgot to remove a line of code, that sends TOAD to the person who is removing their stake from the contract.
Here you can see the line of code I forgot to remove that caused TOAD to be sent out when removing the shares.
In the TOAD only farm one can deposit and remove TOAD from the pool and once you remove your stake that TOAD is sent back to you. The problem here, is that the owners of the contract could add how many shares they wanted without depositing anything, but once they removed those shares, the same amount of shares that was removed was sent in TOAD to the address of the owner of those shares, instead of just removing them. By now, I think you can see where this is going: The bug gave the owners the ability to drain the contract by adding shares to their own addresses and removing them.
