The Web3 space is synonymous with freedom from centralized institutions that want to be involved in your transaction. One reason these third parties interfere in centralized transactions is for the safety of the assets being transferred and the parties involved in the transaction. Even though the Web3 world is secure, some safety concerns remain.
The crypto space introduces new ways to move assets, which will come with new and creative ways to steal these assets. Infinite mint attacks are one of the more innovative ways to steal assets and disrupt a project.
Hackers have used infinite mint attacks to steal millions from crypto projects, some of which projects are still trying to recover. To address this, we need to understand what an infinite mint attack is, how it works, and how we can guard against it.
Decentralized finance (DeFi) protocols are the most affected by infinite mint attacks. DeFi projects use smart contracts to automate governance, and the smart contract is open source, meaning anyone can see how it works. If the contract is not properly written and secured, hackers can look through it and easily find vulnerabilities to exploit.
When hackers execute an infinite mint attack, they capitalize on an error to tamper with a project’s contract. They specifically target the contract’s mint function, which controls how many coins are minted. The hackers tell the contract to mint new tokens well over the authorized limit, which will devalue the token.
An infinite mint attack is fast. Attackers hack the system, manipulate the contract, mint new tokens, and sell them quickly. Typically, the tokens are exchanged for more valuable assets like Bitcoin (BTC) or stablecoins like USDC. This process is repeated so often within a short period that by the time the market adjusts, the tokens they sold for profit earlier are now next to worthless.
Hackers are very surgical when they perform an infinite mint attack. The attack is fast and precise, and depending on network congestion and platform response time, an attack can happen in a few minutes. Infinite mint attacks have four main steps, they are:
For an attack to happen, there has to be a chink (vulnerability) in the armor of a project, and attackers know exactly where to check for it, the smart contract. A smart contract is how decentralized projects can function without nosey 3rd parties. It automatically enforces agreements between two parties.
Smart contracts are immutable; once agreed upon, they can not be changed. Hackers capitalize on this immutability, along with the contracts’ open-source nature. Because smart contracts are transparent, hackers can study them to find vulnerabilities and then exploit them.
Hackers usually look for vulnerabilities in the contract’s mint function. Once they find one, they craft a transaction that will make the smart contract bypass the standard checks and balances and then mint excess coins.
The crafted transaction could just be executing a certain function, tweaking a parameter, or even capitalizing on an unknown connection between different code segments.
With the smart contract exploited, attackers can mint as many new tokens as they want, then dump them in the market.
Token dumping happens quickly. The market is flooded with new tokens, and attackers typically exchange the tokens for stablecoins. The dumped tokens are seriously devalued after the market adjusts to the transactions.
After devaluing the token, the attackers profit from the last stage of an infinite mint attack. Even though the coin has lost value, the market does not adjust as fast as the token devalues so that attackers would exchange the now near-worthless tokens with stablecoins and profit at the expense of the token holders.
Attackers get creative in this step. They could profit in a number of ways, one of which is dumping them in exchanges, selling them high before the market reacts to the dumping. They can arbitrage as well, comparing different platforms to find one where the price has not adjusted and then selling the tokens there. Attacks can also drain the liquidity pool by swapping the newly minted tokens for stablecoins in the pool.
Source: pexels
With the rise of Web3, thanks in part to Bitcoin, there has also been a rise in attacks; the first notable one was the Mg.Gox hack in 2011. Since then, hacks have gotten more sophisticated; now, we have hacks like the infinite mint attack. Here are some examples of infinite mint attacks:
The Cover protocol is a DeFi project created to provide insurance to other DeFi projects in instances of smart contract vulnerabilities, attacks, and more. In December 2020, they were hit with an infinite mint attack. The attacker(s) stole one million DAI, 1,400 ether, and 90 WBTC, netting over $4 million.
The attacker(s) could attack after manipulating the Cover’s smart contract to print tokens as a reward. The bug they took advantage of was related to misusing memory and storage in the programming language. With this, they were able to mint 40 quintillion COVER tokens, and in a few hours, they could sell up to $5 million in COVER. In just 24 hours, the value of the Cover token dropped by 75%.
A few hours later, a white hat hacker named Grap Finance claimed responsibility for the attack via an X post. The hacker also stated that no gains were made from the attack and that all funds had been returned to Cover.
The Paid network.) is a decentralized finance (DeFi) platform made to make contracts easier. It would automate and break down legal and business agreements using the power of blockchain technology. In early 2021, Paid network users noticed an issue: the network had been attacked. The attackers took advantage of a vulnerability in the minting contract. The attackers minted and bunt tokens. They could mint millions of PAID tokens and converted 2.5 million to ETH before the attack ended.
The attackers left PAID with a $180 million loss and 85% of its value gone. Some users were suspicious of the Paid network, and they thought the attack was a rug pull. However, after the Paid network could compensate all the affected users, these suspicions were cleared.
BNB Bridge allows users to make cross-chain transfers. With it, users can move assets from the Binance Beacon Chain to the Binance Smart Chain (BSC). In October 2022, the BNB Bridge was hit with an infinite mint attack. The attackers took advantage of a bug in the contract and minted 2 million $BNB; this amounted to $586 million.
The attackers were able to mint the BNB straight into their wallets. They also chose not to swap the tokens and did not want to move them out of Binance. Instead, they used the BNB as collateral to get a loan that would have been sent to a different network. Thankfully, Binance validators stopped the hack, but the smart chain had to be shut down for a while.
Ankr was made to develop web3. Ankr is a blockchain-based infrastructure with DeFi capabilities. In 2022, it was hacked. The hackers got a hold of developed private keys and processed to upgrade the smart contract. This allowed them to mint 6sixquadrillion aBNBc tokens, which were then converted to 5 million USDC. As a result of the attack, Ankr lost $5 million and had to pause ANKR withdrawals on Binance.
Developers of crypto projects need to put safety at the top of their list when making a project. The decentralized economy is changing daily; there is a lot of innovation, but the hackers are just as innovative. There needs to be more emphasis on prevention rather than mitigation.
Developers need to implement multiple steps to prevent hacks like the infinite mint attack. One step in smart contract security is to conduct thorough audits frequently. An audit is the process of checking a smart contract’s code for vulnerabilities that can be exploited. Ideally, these audits should not be internal but handled by trusted third-party security professionals.
Another step is to tighten the lid on who has access to the minting controls. If you have too many people with access, it is easier to be infiltrated and exploited. Projects can also employ a multi-signature wallet. It improves security because, with it, you would need multiple private keys to access an account.
Finally, projects should remember the importance of monitoring and communication. They should have state-of-the-art monitoring tools to spot any irregularities the second they start. If they have an open line of communication with exchanges, other projects, and the crypto community, they can anticipate any attack and plan a defense.
With the emergence of smart contracts, there also has to be something to guide its use. In this case, we are more concerned with its security so that users are not affected during a breach. The first thing we can do is advise projects to be safe. They can follow the steps listed in the last subheading. The problem is that some projects might not take the advice, and the laws on smart contracts are few and far between. So, where do we go from here?
Smart contracts are new, and the law has not caught up to them yet. Right now, the top two things to consider are enforceability and jurisdiction. With smart contracts being made on the blockchain for decentralized services, can the law enforce its rules on them? There have been laws and court cases on crypto, but smart contracts are not addressed enough.
Now, concerning jurisdiction, the question is, how does the law hold a project accountable if there are differences in the law? What is legal in the USA might be illegal in the UK. To bridge these issues, there has to be a regulatory framework that squarely addresses smart contract security. Experts in blockchain technology and the law should collaborate so that a consensus can be reached.
There is still some hope to hold on to. In 2023 the number of DeFi hacks decreased by over 50%, if these regulations are put in place then there will be even fewer hacks globally.
To wrap up, infinite mint attacks are very strategic and fast. Once an attacker starts, they can mint millions of tokens in just a few minutes, but the attacks can be prevented if the right security precautions are taken.
Some steps still exist to create a proper legal framework to protect the projects and their users from infinite mint attacks. For now, decentralized finance (DeFi) projects must be extra secure and vigilant.
The Web3 space is synonymous with freedom from centralized institutions that want to be involved in your transaction. One reason these third parties interfere in centralized transactions is for the safety of the assets being transferred and the parties involved in the transaction. Even though the Web3 world is secure, some safety concerns remain.
The crypto space introduces new ways to move assets, which will come with new and creative ways to steal these assets. Infinite mint attacks are one of the more innovative ways to steal assets and disrupt a project.
Hackers have used infinite mint attacks to steal millions from crypto projects, some of which projects are still trying to recover. To address this, we need to understand what an infinite mint attack is, how it works, and how we can guard against it.
Decentralized finance (DeFi) protocols are the most affected by infinite mint attacks. DeFi projects use smart contracts to automate governance, and the smart contract is open source, meaning anyone can see how it works. If the contract is not properly written and secured, hackers can look through it and easily find vulnerabilities to exploit.
When hackers execute an infinite mint attack, they capitalize on an error to tamper with a project’s contract. They specifically target the contract’s mint function, which controls how many coins are minted. The hackers tell the contract to mint new tokens well over the authorized limit, which will devalue the token.
An infinite mint attack is fast. Attackers hack the system, manipulate the contract, mint new tokens, and sell them quickly. Typically, the tokens are exchanged for more valuable assets like Bitcoin (BTC) or stablecoins like USDC. This process is repeated so often within a short period that by the time the market adjusts, the tokens they sold for profit earlier are now next to worthless.
Hackers are very surgical when they perform an infinite mint attack. The attack is fast and precise, and depending on network congestion and platform response time, an attack can happen in a few minutes. Infinite mint attacks have four main steps, they are:
For an attack to happen, there has to be a chink (vulnerability) in the armor of a project, and attackers know exactly where to check for it, the smart contract. A smart contract is how decentralized projects can function without nosey 3rd parties. It automatically enforces agreements between two parties.
Smart contracts are immutable; once agreed upon, they can not be changed. Hackers capitalize on this immutability, along with the contracts’ open-source nature. Because smart contracts are transparent, hackers can study them to find vulnerabilities and then exploit them.
Hackers usually look for vulnerabilities in the contract’s mint function. Once they find one, they craft a transaction that will make the smart contract bypass the standard checks and balances and then mint excess coins.
The crafted transaction could just be executing a certain function, tweaking a parameter, or even capitalizing on an unknown connection between different code segments.
With the smart contract exploited, attackers can mint as many new tokens as they want, then dump them in the market.
Token dumping happens quickly. The market is flooded with new tokens, and attackers typically exchange the tokens for stablecoins. The dumped tokens are seriously devalued after the market adjusts to the transactions.
After devaluing the token, the attackers profit from the last stage of an infinite mint attack. Even though the coin has lost value, the market does not adjust as fast as the token devalues so that attackers would exchange the now near-worthless tokens with stablecoins and profit at the expense of the token holders.
Attackers get creative in this step. They could profit in a number of ways, one of which is dumping them in exchanges, selling them high before the market reacts to the dumping. They can arbitrage as well, comparing different platforms to find one where the price has not adjusted and then selling the tokens there. Attacks can also drain the liquidity pool by swapping the newly minted tokens for stablecoins in the pool.
Source: pexels
With the rise of Web3, thanks in part to Bitcoin, there has also been a rise in attacks; the first notable one was the Mg.Gox hack in 2011. Since then, hacks have gotten more sophisticated; now, we have hacks like the infinite mint attack. Here are some examples of infinite mint attacks:
The Cover protocol is a DeFi project created to provide insurance to other DeFi projects in instances of smart contract vulnerabilities, attacks, and more. In December 2020, they were hit with an infinite mint attack. The attacker(s) stole one million DAI, 1,400 ether, and 90 WBTC, netting over $4 million.
The attacker(s) could attack after manipulating the Cover’s smart contract to print tokens as a reward. The bug they took advantage of was related to misusing memory and storage in the programming language. With this, they were able to mint 40 quintillion COVER tokens, and in a few hours, they could sell up to $5 million in COVER. In just 24 hours, the value of the Cover token dropped by 75%.
A few hours later, a white hat hacker named Grap Finance claimed responsibility for the attack via an X post. The hacker also stated that no gains were made from the attack and that all funds had been returned to Cover.
The Paid network.) is a decentralized finance (DeFi) platform made to make contracts easier. It would automate and break down legal and business agreements using the power of blockchain technology. In early 2021, Paid network users noticed an issue: the network had been attacked. The attackers took advantage of a vulnerability in the minting contract. The attackers minted and bunt tokens. They could mint millions of PAID tokens and converted 2.5 million to ETH before the attack ended.
The attackers left PAID with a $180 million loss and 85% of its value gone. Some users were suspicious of the Paid network, and they thought the attack was a rug pull. However, after the Paid network could compensate all the affected users, these suspicions were cleared.
BNB Bridge allows users to make cross-chain transfers. With it, users can move assets from the Binance Beacon Chain to the Binance Smart Chain (BSC). In October 2022, the BNB Bridge was hit with an infinite mint attack. The attackers took advantage of a bug in the contract and minted 2 million $BNB; this amounted to $586 million.
The attackers were able to mint the BNB straight into their wallets. They also chose not to swap the tokens and did not want to move them out of Binance. Instead, they used the BNB as collateral to get a loan that would have been sent to a different network. Thankfully, Binance validators stopped the hack, but the smart chain had to be shut down for a while.
Ankr was made to develop web3. Ankr is a blockchain-based infrastructure with DeFi capabilities. In 2022, it was hacked. The hackers got a hold of developed private keys and processed to upgrade the smart contract. This allowed them to mint 6sixquadrillion aBNBc tokens, which were then converted to 5 million USDC. As a result of the attack, Ankr lost $5 million and had to pause ANKR withdrawals on Binance.
Developers of crypto projects need to put safety at the top of their list when making a project. The decentralized economy is changing daily; there is a lot of innovation, but the hackers are just as innovative. There needs to be more emphasis on prevention rather than mitigation.
Developers need to implement multiple steps to prevent hacks like the infinite mint attack. One step in smart contract security is to conduct thorough audits frequently. An audit is the process of checking a smart contract’s code for vulnerabilities that can be exploited. Ideally, these audits should not be internal but handled by trusted third-party security professionals.
Another step is to tighten the lid on who has access to the minting controls. If you have too many people with access, it is easier to be infiltrated and exploited. Projects can also employ a multi-signature wallet. It improves security because, with it, you would need multiple private keys to access an account.
Finally, projects should remember the importance of monitoring and communication. They should have state-of-the-art monitoring tools to spot any irregularities the second they start. If they have an open line of communication with exchanges, other projects, and the crypto community, they can anticipate any attack and plan a defense.
With the emergence of smart contracts, there also has to be something to guide its use. In this case, we are more concerned with its security so that users are not affected during a breach. The first thing we can do is advise projects to be safe. They can follow the steps listed in the last subheading. The problem is that some projects might not take the advice, and the laws on smart contracts are few and far between. So, where do we go from here?
Smart contracts are new, and the law has not caught up to them yet. Right now, the top two things to consider are enforceability and jurisdiction. With smart contracts being made on the blockchain for decentralized services, can the law enforce its rules on them? There have been laws and court cases on crypto, but smart contracts are not addressed enough.
Now, concerning jurisdiction, the question is, how does the law hold a project accountable if there are differences in the law? What is legal in the USA might be illegal in the UK. To bridge these issues, there has to be a regulatory framework that squarely addresses smart contract security. Experts in blockchain technology and the law should collaborate so that a consensus can be reached.
There is still some hope to hold on to. In 2023 the number of DeFi hacks decreased by over 50%, if these regulations are put in place then there will be even fewer hacks globally.
To wrap up, infinite mint attacks are very strategic and fast. Once an attacker starts, they can mint millions of tokens in just a few minutes, but the attacks can be prevented if the right security precautions are taken.
Some steps still exist to create a proper legal framework to protect the projects and their users from infinite mint attacks. For now, decentralized finance (DeFi) projects must be extra secure and vigilant.