DODO (V2 Crowdpooling): Reinitializable init() in Crowdpool contract — attacker calls init() twice with counterfeit then real token, resets reserve to 0 via sync(), drains pool via flash loan
DODO's Crowdpool init() function could be called twice — an attacker reset pool reserves to zero with a fake token, then reinitialised with real tokens and flash-loaned out $3.8M, while a front-running bot beat them to the first drain by 10 minutes.
Summary #
DODO (V2 Crowdpooling) suffered a DEX / AMM (Crowdpooling) on 2021-03-09, resulting in a loss of approximately $4M.
What happened #
DODO's Crowdpool init() function could be called twice — an attacker reset pool reserves to zero with a fake token, then reinitialised with real tokens and flash-loaned out $3.8M, while a front-running bot beat them to the first drain by 10 minutes.
Linked factors #
- RD-F-008 — illustrative : Bug survived review (RD-F-008 = ignored disclosure; closest semantic match for audit-missed-bug) [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Audited — re-initialization vulnerability survived audit]