Incident date: 2023-12-01

TLDR

At 2023-12-01 07:29 UTC the configuration change to the Impossible Finance pool by the IF team has put the WeHMND/USDC pair into an invalid state. In about three hours, one of the DEX users spotted odd behavior of the swap and asymmetrically extracted the USDC from the pool, leaving the WeHMND in it. Minutes after this, the Humanode and IF teams reacted to the anomaly in the pool; the contact with the user was established and the extracted USDC returned, first under the Humanode team control, and then, after a few days spent on technical verification, the funds were uploaded back into the pool, and corrective LP tokens were distributed to the holders. The incident was fully resolved at 2023-12-05 04:37 UTC, no funds were lost.

Timeline

Impossible Finance Incident Live Updates

What happened?

Configuration change

Everything started with the erroneous configuration changes to the Impossible Finance’s ImpossiblePair contract. This configuration change was issued erroneously due to a miscommunication among the Impossible Finance team.

The change enabled boosting for the WeHMND/USDC pair, which is invalid for this pair as it is only intended for stablecoin pairs.

Refs:

• https://humanode.subscan.io/extrinsic/0x02c5268ee8f525ddb2f4d36f9aac0a712a866c644263e1787922203e96174d12

A series of USDC swaps

With the newly applied configuration, doing any swap would significantly skew the exchange rate of the pair. This went unnoticed for three hours, as the swap was more or less idle.

The first user to start doing the swap operations after the configuration change immediately felt that something was very wrong, as the contract gave out way more USDC for little WeHMND than it was supposed to.

So, the user promptly decided to extract all the USDC that he could get. As we learned later - the user did not have malicious intent, and the goal was simply to hold all the funds safely while the issues with contracts were resolved.

Refs:

• Starting from block 5419114 and tx https://humanode.subscan.io/extrinsic/0x090d1999cc43ade1de2fa89b71050648ff0c5327772a2b615294545aa149be33
• https://humanode.subscan.io/account/0x4F4cE52b3F384d8180cF3574C5d9B918e70BCacD?tab=erc20_transfer
  • 0x56d624534aa88c747fc6e4a3183a3168f4d9b6213766a98325aa43de3bfaf2bd
  • 0x2105dac1d70292cd602bb34904258028c9f452c49f0aabe7ca326f113efb0b8d
  • 0x45e0e5ac8602bcd59315724100f44b7f66550fbee9d247fa718c2d0a48e29e93
  • 0x7c083bc37abfdad1c8d083fa16642175cf1521dfd4c89c0bdcf041d318b24f2c
  • 0x40650124fce9363122008716f01f4a3da1f9a5265180e512ea85cb70a63f2b3b
  • 0x090d1999cc43ade1de2fa89b71050648ff0c5327772a2b615294545aa149be33

USDC ported to Ethereum chain

The user then ported the USDC to the Ethereum chain. From the user’s perspective, it was not clear what happened and why this odd behavior suddenly started happening, so the user decided to also move the extracted USDC funds (along with some personal USDC they had on their account before the incident) from the Humanode chain to the Ethereum.