Synapse Bridge has announced that they had prevented a hacker from draining approximately $8 million USD from the Avalanche Neutral Dollar (nUSD) Metapool.
It has been reported that the hacker attempted to exploit a vulnerability using the bridge to transfer assets from Polygon (MATIC) to Avalanche (AVAX). Synapse is a cross-chain bridge designed to facilitate swaps and transfers between a range of layer-one and layer-two protocols using an automated market maker (AMM).
Synapse Bridge stated:
“Over the past 16 hours, we encountered and discovered a contract bug in the way that the AMM Metapool contracts handle virtual price calculations against the base pool's virtual price.”
However, as soon as Synapse’s validators became aware of the AMM’s unusual activity, the protocol paused its support for all chains and went offline. By shutting down the network, validators were able to collectively elect to reverse the transaction before it could be confirmed.
In this way, the funds will ultimately not be minted to the attackers’ address on the destination chain.
Synapse Bridge stated:
“The validators will instead mint the nUSD back to the affected Avalanche LPs. All Avalanche nUSD LPs will be made whole, with no funds lost.”
The report said that the funds from the rejected transaction will be used to reimburse the affected liquidity providers after the full audit of the exploit is completed. Synapse Bridge has now deployed new nUSD pools, which are a standard stableswap pool of four assets rather than a metapool.
Synapse Bridge says the network is now online and resuming normal activity. The user backlogs or pending transactions have also been processed.
Thus, Synapse Bridge has notified Saddle, the developer of Metapool contracts. Saddle has now also paused its pool. Only those metapools from Saddle were affected by the exploit.
Source: Cointelegraph