Explained: The PAID Network Hack (March 2021)

The PAID attacker took advantage of poor key management practices at PAID, not a vulnerability in the PAID smart contract.  The network relied on a single private key to manage control over the smart contract; by compromising that private key, the attacker was able to gain control over the upgrade functionality of the contract.

With this control, the attacker was able to upgrade and replace the original smart contract with a malicious version that allowed tokens to be burned and minted.  Token burning was necessary because the maximum supply of the $PAID token had already been reached.

By destroying existing tokens and minting new ones, that attacker was able to create brand-new tokens under their control.  In total, the attacker was able to mint 59,471,745.571 $PAID tokens.  Of these, 2,501,203 were converted to Ether before the PAID team was able to block PAID/ETH swaps on Uniswap.  The 2,040.4339 ETH produced have a value of over $3 million.

The PAID smart contract had previously undergone a successful security audit, and this hack did not exploit any smart contract vulnerabilities.  However, the weakness that it did take advantage of – using a single private key to control vital functionality – could have been identified and communicated as a point of risk, where a single user would have full control of the contract functions.

As a result of the hack, the PAID team has implemented key management best practices, including the use of multi-signatures for critical functionality (like the smart contract upgrade process).  The team also plans to audit its processes to improve the security of its private keys and IT systems.

The PAID Network hack demonstrates that private key security is not just a problem for blockchain and crypto users.  Platforms built using smart contract technology must also implement solutions to protect against account compromise.

Make sure you’re implementing security best practices by contacting Halborn today at halborn@protonmail.com.