InfoNesia.xyz – Decentralized trading protocol DODO says a white hat hacker recently reported a vulnerability in the vDODO contract.
vDODO Disabled to Stall Possible Hacking Attempt
In a recent announcement, a white hacker discovered and reported a vulnerability in the vDODO contract to the DODO Team. Hackers could exploit this vulnerability to reduce vDODO holders’ referral staking power. The DODO team spun into action immediately to prevent this by disabling the vDODO contract’s transfer function until a solution is found.
However, vDODO assets owned by the user are not affected. The attackers themselves cannot gain any revenue from the attack, and it will only cost them their own gas fees.
The DODO team announced on their website to inform people of the current threat and their initiative to stop it. In the announcement, the team assured users that no one had been affected to date, and they are working to find a solution to the challenge.
Currently, the protocol has temporarily disabled the assignment function of the vDODO contract to avoid attack activities and is currently looking for a solution. User assets remain unaffected, and users need not be worried.
The DODO team said:
“After analyzing and inventorying all past on-chain transactions, we have not found any user that has been impacted by this vulnerability. Despite this, we have currently suspended vDODO’s transfer function to avoid attacks. It will be restored when the source of the vulnerability is fixed.”
How Can the Vulnerability be Exploited
For the vulnerability to be effectively exploited, it will require the participation of two attackers who would work as follows:
Attacker 1 would transfer some vDODO to Attacker 2, who has not previously set a referral superior, and the referral power is credited to address 0x0000000 (known as the zero address).
Attacker 2 then sets the victim as their referral, but the referral staking power provided by Attacker 2 is not properly recorded and still remains at the zero address.
Attacker 2 will transfer the vDODO out, removing the extra referral staking power from the victim.