$42 000 USD

JULY 2021




"The DAO-as-a-Service Infrastructure for Decentralized Governance and Open Source Ventures." "Dora Factory is a programmable, multi-chain DAO-as-a-Service open infrastructure on Substrate. Crucial schemes like quadratic voting, bonding curve fundraising, all cool features regrading on-chain governance can be built on this infrastructure as pallets by the developers, and they can be rewarded in a SaaS model when DAOs launched on Dora Factory deploy them."


"Dora Factory is governed by DORA holders. DORA will be the utility token that binds the network together. Users and holders of DORA can stake, mine and pay DORA tokens. Developers who build will be rewarded with DORA tokens." "Dora Factory’s vision is to build a DAO-as-a-Service infrastructure that empowers every DAO with the right toolkits for better interoperability and incentivizes open source developers and hackers on the web. their next venture-building path."


"ChainSwap is a bridge protocol that links the Ethereum and Binance Smart Chain (BSC) blockchains." "It supports Binance Smart Chain, Ethereum, Polygon, and Huobi Eco Chain." "The ChainSwap hacker identified and exploited a vulnerability in the ChainSwap smart contract. This vulnerability enabled them to steal and mint new tokens for various protocols that were using the bridge to trade across Ethereum and BSC."


Investigation by ChainSwap revealed "a bug in the token cross-chain quota code. The on-chain swap bridge quota is automatically increased by the signature node, which is intended to be more decentralized without manual control. However, due to a logical flaw in code, this led to an exploit by allowing invalid addresses which weren’t whitelisted to automatically increase the amount."


"According to official sources, due to a contract vulnerability in the cross-chain asset bridge ChainSwap, 7872 DORA locked in the ChainSwap cross-chain bridge contract was taken out by hackers and sold through Uniswap." "Today, sadly ChainSwap was cracked again by a black-hat hacker. This time, DORA tokens on ChainSwap bridges were affected. 7872 DORA tokens were stolen from the ChainSwap bridge smart contract and they were immediately sold on Uniswap."


"The attacker managed to take control of the projects’ BSC contracts by exploiting ChainSwap. The attacker minted tokens directly to their address, then sold them on BSC’s most popular decentralized exchange, PancakeSwap." "[T]he attacker used the PancakeSwap exchange to convert the stolen tokens to WBNB, DAI, and other tokens."


"For now, we will work with ChainSwap team on this issue and find a solution to the problems in the coming week. (ChainSwap team is actively solving the problems now, give them some time!). We will make an announcement once we have a final solution."


"Chainswap temporarily closed its cross-chain bridge." "ChainSwap worked with the police and OKEx to identify the attackers, and managed to negotiate the recovery of Corra and Rai tokens. An initial email with the attackers suggested the attackers return $1 million."


“Sorry for the trouble, you sound genuinely like great people but money is money,” the attackers of the earlier exploit told ChainSwap.


"ChainSwap team contacted [Dora Factory] and briefed the situation. They are actively tracking the hacker’s address and promised to work [together] to deliver a solution to cover the loss of Dora Factory foundation and our community as soon as they can."


"Comparing to the current FDV market cap of Dora Factory, the loss of DORA on ChainSwap bridge attack is not significant (worth less than $50k). Most of the tokens were assets owned by the Foundation, and they were used to create cross-chain liquidities. This event will not affect the development of Dora Factory in any foreseeable way (definitely no need to panic!)."


"However, we do recognize that cross-chain technology is early-stage and it is far from being mature. As a result of this event, we will temporarily withdraw all cross-chain Defi liquidities until we have a verifiably secure solution (either a new cross-chain service provider, or develop our own cross-chain infrastructure)."


"Chainswap said it had already repurchased a small amount of the affected tokens from the market and returned the contract wallet. The rest will be paid out in full by the Chainswap vault." "ChainSwap team has now prepared and executed a compensation plan in consensus with the affected projects." "In order to bring everybody a more rigorous, efficient bridge, the next development model of ChainSwap will be adjusted to ensure maximum safety."

Dora Factory is a service which assists in creating decentralized governance. Their token used ChainSwap to exist on multiple blockchains, which required some funds to be stored in the smart contract hot wallet.


The ChainSwap bridge was hacked, and the attacker was able to obtain the tokens, which were sold. Dora has been working with ChainSwap to reimburse any affected users.


Theoretically, decentralized finance will eventually result in hackers having exploited every vulnerability that exists. However, it's impossible to know when that will occur and if a contract is truly secure, as opposed to there still being an exploit that just hasn't been noticed yet. For any complex smart contract, it's impossible to prove security and plenty of fully audited contracts have been exploited.


In this situation, there was luckily not much taken, and it looks like it will be ultimately reimbursed. Platforms should, generally, be prepared for the full loss of all assets stored in hot wallets (including smart contracts). Assets that do not need to be accessed quickly should be stored securely in a simple offline multi-signature wallet.


Check Our Framework For Safe Secure Exchange Platforms

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.