The Decentral Bank team announced in a tweet that a recent issue with its smart contract has been resolved. A bug on the platform allowed a user to mint roughly 10 trillion USN tokens for only 10 USD.
Swap Errors and a Refund Bug
Decentral Bank unveiled the problem after a user dubbed “pavladiv. near” attempted a token swap. The user in question tried to exchange 5 of the network’s USN tokens (roughly $5) for 5 USDT tokens. The operation was to occur through Decentral Bank’s on-chain swap mechanism.
However, the transaction hit a snag when an issue arose that prevented swaps unless the recipient wallet contained some Tether. Notably, USDT was not necessary for the operation regardless, Pavladiv was unable to complete the process due to the glitch.
They attempted to carry out the transactions two more times but ran into the same issue repeatedly. Following the failure, the USN smart contract tried to refund the user for the operation. Thus, the error with the USN tokens took place.
Unfortunately, during the USN refund process, the system placed a decimal point incorrectly. The refund amount came up to about 4.9995 USN, a total of $5. However, the glitch caused the smart contract to mint 4.9995 trillion USD instead.
Given that pavladiv.near had attempted the transaction twice the platform refunded them for both tries. Hence, the error allowed the user to receive about $10 trillion following the refund. After the Decentral Bank team spotted the glitch, they put the minting contract on hold.
Decentral Bank Acts to Restore Order
Following the developments mentioned above, the team initiated a solution to resolve the point misplacement during swap refunds. In addition to this, they sent all the wrongly minted tokens to a burn address thus balancing the supply of USN tokens in circulation.
Afterward, the team shared the details of their response in the announcement tweet noting the importance of transparency. They also sent out a medium release properly outlining the details of the event.
Had the team not responded on time, the glitch could have caused significant damage. A malicious actor could have taken advantage of it to mint infinite quantities of USN. Eventually, they would have completely emptied the Ref Finance USDT liquidity pool.
1/ $USN v2.0’s security incident on July 6th, 2022
The issue has been immediately resolved by the team and no funds were lost, stolen or affected in any way
As we firmly believe that transparency is paramount, we want to explain this event and the future measures to be taken
— Decentral Bank (@DcntrlBank) July 7, 2022
Decentral Bank is a DAO currently maintaining the USN stablecoin on the Near network. The Near blockchain houses DeFi protocol Ref Finance which sponsors Decentral Banks and is a key supporter. Decentral Bank is working to guard against similar occurrences in the future.
In their tweet, the team claimed they were test running a fix for the swap error. However, ahead of the release, the USN developer requested users to hold some Tether tokens while conducting exchanges. In addition to these moves, they intend to deploy spare alert systems to release notifications on notable alterations to $USN emissions and the Reserve fund.
Besides pavladiv.near whom the platform plans to award a bug bounty, no other users were affected. Decentral Bank reinstated the USN smart contract a few hours after identifying the issue.