Incident date: 2023-12-01
At 2023-12-01 07:29 UTC the configuration change to the Impossible Finance pool by the IF team has put the WeHMND/USDC pair into an invalid state. In about three hours, one of the DEX users spotted odd behavior of the swap and asymmetrically extracted the USDC from the pool, leaving the WeHMND in it. Minutes after this, the Humanode and IF teams reacted to the anomaly in the pool; the contact with the user was established and the extracted USDC returned, first under the Humanode team control, and then, after a few days spent on technical verification, the funds were uploaded back into the pool, and corrective LP tokens were distributed to the holders. The incident was fully resolved at 2023-12-05 04:37 UTC, no funds were lost.
Impossible Finance Incident Live Updates
Everything started with the erroneous configuration changes to the Impossible Finance’s ImpossiblePair
contract. This configuration change was issued erroneously due to a miscommunication among the Impossible Finance team.
The change enabled boosting for the WeHMND/USDC pair, which is invalid for this pair as it is only intended for stablecoin pairs.
Refs:
With the newly applied configuration, doing any swap would significantly skew the exchange rate of the pair. This went unnoticed for three hours, as the swap was more or less idle.
The first user to start doing the swap operations after the configuration change immediately felt that something was very wrong, as the contract gave out way more USDC for little WeHMND than it was supposed to.
So, the user promptly decided to extract all the USDC that he could get. As we learned later - the user did not have malicious intent, and the goal was simply to hold all the funds safely while the issues with contracts were resolved.
Refs:
5419114
and tx https://humanode.subscan.io/extrinsic/0x090d1999cc43ade1de2fa89b71050648ff0c5327772a2b615294545aa149be330x56d624534aa88c747fc6e4a3183a3168f4d9b6213766a98325aa43de3bfaf2bd
0x2105dac1d70292cd602bb34904258028c9f452c49f0aabe7ca326f113efb0b8d
0x45e0e5ac8602bcd59315724100f44b7f66550fbee9d247fa718c2d0a48e29e93
0x7c083bc37abfdad1c8d083fa16642175cf1521dfd4c89c0bdcf041d318b24f2c
0x40650124fce9363122008716f01f4a3da1f9a5265180e512ea85cb70a63f2b3b
0x090d1999cc43ade1de2fa89b71050648ff0c5327772a2b615294545aa149be33
The user then ported the USDC to the Ethereum chain. From the user’s perspective, it was not clear what happened and why this odd behavior suddenly started happening, so the user decided to also move the extracted USDC funds (along with some personal USDC they had on their account before the incident) from the Humanode chain to the Ethereum.