Decentralized fundraising platform Poolz Finance has just become the poster child for how DeFi protocols should respond to hacking incidents.
This week, within minutes of being hacked, it implemented a series of measures that not only helped to contain the damage and prevent it from spreading, but almost certainly stopped the hacker from profiting from his or her ill-gotten gains.
Poolz Finance is a decentralized swapping protocol that aims to provide a way for crypto startups and project owners to bootstrap liquidity. It works by making it simple for project owners to launch and manage liquidity auctions that investors can easily discover and participate in.
Although it’s a relatively new protocol, Poolz Finance has seen some success already, making it a target for the individual who discovered a vulnerability within the smart contract governing its POOLZ token vesting system. On March 15, the hacker managed to exploit this vulnerability and make off with an undisclosed number of POOLZ tokens that had been allocated to public buyers. The BscScan blockchain explorer shows that some of these tokens were rapidly sold on DEXs or exchanged through the cryptocurrency mining service Tornado Cash.
Unfortunately for the hacker, he or she didn’t move fast enough. Poolz Finance reacted by creating a response team that moved quickly to ensure that no POOLZ tokens could be traded on any exchange, while implementing other measures to prevent the incident from happening again.
One of the very first steps was to identify the hacker’s address and flag it on multiple blockchain explorers. At the same time, Poolz Finance worked with the Uniswap and PancakeSwap DEXs to remove all liquidity from their exchanges and protect their users, while also notifying centralized exchanges and its wider community to halt activity on all POOLZ trading pairs. Meanwhile, a freeze was imposed on all POOLZ porting on the ChainPort.io bridge.
The rapid reaction from Poolz Finance was likely more than just quick thinking on the team’s part. Clearly, the protocol had a plan of action in place prior to the security incident, enabling it to move extremely fast and frustrate the ambitions of the hacker. As a result, he or she was only able to swap a small fraction of the amount stolen before running out of avenues to funnel them through. In less than two hours, the hacker’s plans fell apart.
By far the most dramatic step taken, however, was the decision to remove the POOLZ token from circulation altogether and replace it with a brand new token, called POOLX. This will ensure that the hacker is left holding thousands of now useless tokens. What’s more, Poolz Finance said it intends to continue pursuing the hacker and bring them to justice.
The new token, which is currently being audited by ArcadiaGroup, CertiK and ChainPort, will go live once a new smart contract has been deployed. All POOLZ token holders prior to the hack will be compensated 1:1 with newly minted POOLX tokens, with new liquidity pools established based on the existing POOLZ exchange rate, as it was prior to the hack. Poolz Finance also said it’s developing a compensation model that will reward the community for its patience. The supply of POOLX will therefore be increased by 10% to support these ecosystem rewards.
Poolz Finance said it launched a flash fundraising campaign in the immediate aftermath of the hack that raised $600,000 in less than 12 hours. The money will be used to implement and distribute the new POOLX token and strengthen its security, Poolz said.
Liam Cohen, founder of Poolz Finance, said he is proud of his team’s swift and effective response to the hacking incident, and that its main priority is to protect its community.
“Despite this setback, we’ll come out stronger with our new token, POOLX, which is currently undergoing an audit,” he said. “Our treasury is unaffected, and we remain financially stable. We’re dedicated to our community and DeFi and we thank you for your support.”