defirisk.co
rubric v1.7.0

Snowdog (SnowdogDAO): Insider front-running — privileged challengeKey knowledge + custom AMM sniping

Snowdog's anon team created a custom AMM with a secret challengeKey for a $44M buyback, and insiders with advance knowledge sniped $21M in the first two transactions.

Occurred 2021-11-25 Loss $21M Status closed

Summary #

Snowdog (SnowdogDAO) suffered a OHM-fork / Reserve Memecoin on 2021-11-25, resulting in a loss of approximately $21M.

What happened #

Snowdog's anon team created a custom AMM with a secret challengeKey for a $44M buyback, and insiders with advance knowledge sniped $21M in the first two transactions.

Linked factors #

  • RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited — custom Snowswap AMM with challengeKey]
  • RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — Entire protocol was 8 days old; custom AMM deployed specifically for the buyback] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — Entire protocol was 8 days old; custom AMM deployed specifically for the buyback]
  • RD-F-007 — causal : Direct: bug bounty presence + max payout [via cross-hack: Factor 9: No Bug Bounty Program]
  • RD-F-027 — causal : ★ Single admin EOA (not multisig, not timelock) [via cross-hack: Factor 18: Single Admin Key With No On-Chain Delay] || ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action: Y — Team migrated all liquidity to custom AMM with challengeKey mechanism]
  • RD-F-032 — related : Timelock duration on upgrades = 0 [via cross-hack: Factor 18: Single Admin Key With No On-Chain Delay]
  • RD-F-076 — related : Protocol age (Cat 5 — < 6 months age signal) [via dashboard_risk_factors/Protocol age: 8 days (by design)]
  • RD-F-090 — illustrative : Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Two new wallets funded via FTX day before buyback; liquidity migration from TraderJoe to custom AMM; treasury accumulation to $44M visible o...]
  • RD-F-101 — illustrative : Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — Team migrated all liquidity to custom AMM with challengeKey mechanism]
  • RD-F-111 — causal : Team doxx status — pseudonymous-no-track-record class [via dashboard_risk_factors/Team anonymity: Anonymous — Snowbank/Snowdog anon team]
  • RD-F-122 — related : Contributor paid to wallet routing to known DPRK cluster [via cross-hack: Factor 34: Suspected Insider Involvement]
  • RD-F-123 — causal : ★ Sudden admin-rescue / ACL change absent issue/PR discussion [via cross-hack: Factor 34: Suspected Insider Involvement]
  • RD-F-126 — causal : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — OHM fork (Snowbank); custom AMM forked from Uniswap V2]
  • RD-F-146 — related : New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — Entire protocol was 8 days old; custom AMM deployed specifically for the buyback]