Cross-chain protocols are continuing to face challenges, with Synapse Bridge narrowly averting a multi-million exploit.
On Sunday, Synapse Bridge announced on Discord they had prevented a hacker from draining approximately $8 million USD from the Avalanche Neutral Dollar (nUSD) Metapool.
The hacker attempted to exploit a vulnerability using the bridge to transfer assets from Polygon (MATIC) to Avalanche (AVAX). Synapse is a cross-chain bridge designed to facilitate swaps and transfers between a range of layer-one and layer-two protocols using an automated market maker (AMM).
Synapse Bridge stated: “Over the past 16 hours, we encountered and discovered a contract bug in the way that the AMM Metapool contracts handle virtual price calculations against the base pool's virtual price.”
As soon as Synapse’s validators became aware of the AMM’s unusual activity, the protocol paused its support for all chains and went offline. By shutting down the network, validators were able to collectively elect to reverse the transaction before it could be confirmed. In this way, the funds will ultimately not be minted to the attackers’ address on the destination chain.
“The validators will instead mint the nUSD back to the affected Avalanche LPs. All Avalanche nUSD LPs will be made whole, with no funds lost,” stated Synapse Bridge. The funds from the rejected transaction will be used to reimburse the affected liquidity providers after the full audit of the exploit is completed.
Synapse Bridge has now deployed new nUSD pools, which are a standard stableswap pool of four assets rather than a metapool.
Related: THORChain concludes 2 security audits following summer exploits
“This is the safest route as the base stableswap contract (distinct from the Metapool contracts) has been thoroughly battle-tested by many different platforms,” wrote Aurelius.
Synapse Bridge says the network is now online and resuming normal activity. The user backlogs or pending transactions have also been processed. Synapse Bridge has notified Saddle, the developer of Metapool contracts. Saddle has now also paused its pool. Only those metapools from Saddle were affected by the exploit.