The decentralized finance (DeFi) platform ParaSwap discovered a security vulnerability in its newly launched Augustus v6 contract and averted significant fund loss through timely white hat intervention. On March 18th, the ParaSwap Augustus v6 contract went live, aiming to increase swap efficiency and reduce transaction fees. However, the contract contained a critical security flaw that could allow hackers to drain funds upon approval.
Proactive Steps by the ParaSwap Team
ParaSwap paused its v6 application programming interface (API) shortly after discovering the security flaw on March 20th and secured potential losses through a white hat attack.
ParaSwap recommended all users to revoke permissions for the Augustus v6 contract to prevent further fund loss until the vulnerability was neutralized. Despite ParaSwap’s efforts to retract the vulnerable v6 contract and inform users of the necessary steps, a hacker managed to withdraw approximately $24,000 from four different addresses.
ParaSwap announced that a total of 386 addresses were affected by the security flaw. The protocol also asked users to report any fund losses that may not have been detected during the preliminary investigation.
In addition, ParaSwap disabled support for the vulnerable v6 contract in its recently updated user interface and reverted to using v5. The team stated the following:
“We have successfully retrieved funds for all addresses and more details about the reimbursement process will be shared soon.”
Software Bugs and Artificial Intelligence
Users affected by the process remain at risk unless they revoke their approvals, and ParaSwap recommends using services like Revoke to ensure their security.
Following this incident, the field of artificial intelligence came into focus again. Productive AI tools like ChatGPT-4 are good at generating code but cannot fully serve as reliable security auditors. A pair of researchers from Salus Security, a blockchain security company with offices in North America, Europe, and Asia, stated in a recently published research paper:
“GPT-4, can be a useful tool for assisting in smart contract audits, especially in parsing code and providing vulnerability hints. However, considering its limitations in detecting vulnerabilities, it cannot fully replace professional audit tools and experienced auditors at this time.”
