A multi-million dollar exploit was nearly averted by the Synapse Bridge, which is a cross-chain protocol that continues to have difficulties. In a Discord announcement on November 7, Synapse Bridge said that they have blocked a hacker from emptying nearly $8 million USD from the Avalanche Neutral Dollar (nUSD) Metapool.
Using the bridge, the hacker tried to take advantage of a weakness in order to move assets from Polygon (MATIC) to Avalanche (AVAX). Using an automated market maker, Synapse is a cross-chain bridge intended to simplify swaps and transfers across a variety of layer-one and layer-two protocols on the Ethereum blockchain (AMM).
It was announced by Synapse Bridge that they had uncovered a contract fault in the way that the AMM Metapool contracts handled virtual price computations in comparison to a base pool’s virtual price “during the course of the previous 16 hours.”
In response to AMM’s unexpected conduct, Synapse’s validators halted support for all chains and went down as soon as they were made aware of it by its validators. Validators were able to collectively opt to reverse the transaction before it could be verified by shutting down the network as a result of this action.
Ultimately, the money will not be minted to the attackers’ address on the target chain if they do not do so in this manner. “Instead, the validators will coin the nUSD and distribute it to the impacted Avalanche LPs.”
“All Avalanche nUSD LPs will be refunded in full, with no cash lost,” Synapse Bridge declared in a statement. After the entire audit of the exploit is finished, the cash from the rejected transaction will be utilized to repay the liquidity providers who were impacted by the attack.
It has now been implemented new nUSD pools, which are a regular stableswap pool of four assets rather than a metapool, on the Synapse Bridge. As Aurelius put it, “this is the most secure approach since the main stable swap contract (as opposed to the Metapool contracts) has been rigorously battle-tested by many different platforms.”
Synapse Bridge reports that the network is now operational and that regular operations may be resumed. It has also been completed the processing of user backlogs and outstanding transactions. Synapse Bridge has told Saddle, the creator of Metapool contracts, that the contract has been created. The pool at Saddle has now been suspended as well. Only the metapools from Saddle were impacted by the vulnerability, and only those metapools.