- Trader Joe was exploited for ~$1M, but they kept this a secret. Later, the same technique was used against Pangolin to steal ~$300K of protocol fees.
Below is a quick overview of these projects.
Trader Joe is the #1 one-stop-shop for decentralized trading on Avalanche. Users can trade, farm, borrow, launch & discover endless cryptocurrencies.
Pangolin is a community-driven decentralized exchange for Avalanche and Ethereum assets with a fast settlement, low transaction fees, and a democratic distribution–powered by Avalanche.
How did the Attack occur?
As we know, there is a small protocol fee on Trader Joe transactions. The protocol owner can set which address receives these fees. Then the fees, which are pool tokens, are accumulated in that address with each transaction. So, Trader Joe has made the recipient address of the swap fees a permission less contract. Here is the link to the contract: https://snowtrace.io/address/0xC98C3C547DDbcc0029F38E0383C645C202aD663d#code. This contract allows anyone to buyback JOE with the pool tokens accumulated in the contract and sends the JOE to xJOE stakers as a reward.
But there was a vulnerability in the contract. The buyback contract first must remove liquidity and receive its pair tokens to buy back JOE. After removing the liquidity, the buyback contract checks the amount of the pair tokens it has. So after removing JOE-WAVAX, it checks how much JOE and WAVAX are in the contract. But it should instead check how much is received from removing JOE-WAVAX.
So anyone could call
convert() on the JoeMakerV2 contract, which would trade accumulated fees of a particular token pair for JOE. This JOE was sent as a reward to the xJOE contract. Under normal circumstances, this process is automated by a bot or script to avoid slippage and maintenance. But Trader Joe avoided this step, leading to hundreds of thousands of dollars worth of rewards accumulating.
So anyone could enter WAVAX-JLP, where JLP is WAVAX-JOE, and try to convert that to JOE. The contract will have a negligible amount of WAVAX-JLP but a significant amount of WAVAX-JOE. When removing WAVAX-JLP, the contract will check how much it has JLP (i.e., WAVAX-JOE). And the buyback contract will then try to swap all its WAVAX-JOE to WAVAX. That exotic pool will have minimal liquidity, resulting in a buyback contract to swap with a horrible rate. Ultimately, the exploiter will remove the WAVAX-JLP liquidity and walk away with a hefty WAVAX-JOE.
What was the Team’s Response to the Attack?
Multiple attackers consecutively and methodically drained all accumulated rewards from multiple different pools. The first instance of funds being stolen was on November 24, 2021. However, Trader Joe Team noticed this on December 2 and fixed the exploit by setting the
feeReceiver address to a new contract.