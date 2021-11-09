Cross-chain protocols continue to face challenges, and Synapse Bridge narrowly avoided a multi-million dollar exploit.

On November 7, Synapse Bridge announced on Discord that it had prevented a hacker from stealing approximately US $ 8 million from the Avalanche Neutral Dollar (nUSD) Metapool..

The hacker attempted to exploit a vulnerability by using the bridge to transfer assets from Polygon (MATIC) to Avalanche (AVAX). Synapse is a cross-chain bridge designed to facilitate exchanges or swaps and transfers between a series of layer one and layer two protocols using an automated market maker (AMM).

Synapse Bridge stated: “In the last 16 hours, we found and discovered a contract bug in the way AMM Metapool contracts handle virtual price calculations against the base pool virtual price”.

As soon as the Synapse validators became aware of the unusual AMM activity, the protocol paused its support for all strings and was disconnected. By shutting down the network, the validators were able to collectively choose to roll back the transaction before it could be confirmed. In this way, the funds will not be minted to the attackers’ address in the target chain.

“Validators will mint the nUSD back to the affected Avalanche LPs. All Avalanche nUSD LPs will be complete, with no loss of funds,” stated Synapse Bridge. The funds from the declined transaction will be used to reimburse the affected liquidity providers once the full audit of the exploit has been completed..

Synapse Bridge has now deployed new nUSD pools, which are a standard stableswap pool of four assets instead of a metapool.

“This is the safest route, as the stableswap base contract (distinct from the Metapool contracts) has been thoroughly tested on many different platforms.”Aurelius wrote.

Synapse Bridge says the network is now online and has resumed normal activity. User backlogs or pending transactions have also been processed. Synapse Bridge has tipped off Saddle, the developer of the Metapool contracts. Saddle has also put his pool on hiatus. Only Saddle metapools were affected by the exploit.

