It has been reported that while the exploit netted nearly $180 million in PAID tokens at the time of the attack, the hacker’s payday will end up being far less.
However, one observer noted that the attacker’s wallet only converted some of their tokens to the wrapped ether, leaving the rest in rapidly-devaluing PAID tokens.
The report said that the attacker’s wallet still has over 57 million PAID tokens worth $37 million. The exploit is conceptually similar to an attack on insurance protocol Cover that took place in late December last year. The team took a “snapshot” of holders prior to the attack and issued a new token, returning the supply of the token to pre-exploit levels.
The team confirmed on Twitter that they are currently planning for a snapshot and restoration.
We are investigating the issue. We pulled liquidity, are creating a new smart contract, & will be restoring everyone's original balances to before the hack. Those with staked, Lpool & UniFarm $PAID will have their tokens be sent to them manually. We will share more updates soon — PAID NETWORK (@paid_network) March 5, 2021
Token holders anxious for a resolution may be out of luck. Some in the community are speculating that the attack on PAID was not an exploit at all, but instead a “rugpull” — a colloquial term for an insider designing contracts to specifically make them exploitable and swiping user funds.
Nick Chong of Parafi Capital noted on Twitter that Paid’s deployer contract, an externally controlled account, transferred ownership of the deployer to the attacker shortly before the mint by indicating that a member of the team either rugpulled or errantly allowed the attack to take place with a security lapse.
Kyle Chasse, the CEO of Paid Network, said:
“The LAPD will be in contact with Kyle Chasse very shortly.”