Golden Encyclopedia | What is the infinite coin attack? How does it work?

Author: Onkar Singh, CoinTelegraph; Compiler: Tao Zhu, Golden Finance

1. Explanation of unlimited coin minting attacks

Unlimited coin minting attacks refer to attackers manipulating contract code to continuously mint new tokens beyond the authorized supply limit.

This hack is most common in decentralized finance (DeFi) protocols. This attack compromises the integrity and value of a cryptocurrency or token by creating an unlimited number of tokens.

For example, a hacker exploited a smart contract vulnerability in the Paid network to mint and destroy tokens, resulting in a loss of $180 million and an 85% drop in the value of PAID. Before the attack was stopped, more than 2.5 million PAID tokens were converted to Ethereum (ETH). The network compensated users and dispelled rumors of insider manipulation (rug pull).

Malicious actors may profit from such attacks by selling illegally created tokens or interfering with the normal operation of the affected blockchain network. The prevalence of unlimited coin minting attacks highlights the importance of conducting thorough code audits and incorporating security measures into smart contract development to prevent such vulnerabilities.

How does the infinite minting attack work?

In order to create a vulnerability that allows an attacker to mint an unlimited number of tokens, the infinite minting attack targets vulnerabilities in smart contracts, specifically those related to the token minting function.

Step 1: Vulnerability Identification

The attack method requires finding a logical weakness in the contract, usually related to input validation or access control mechanisms. Once a vulnerability is found, the attacker creates a transaction that exploits the vulnerability, causing the contract to mint new tokens without the necessary authorization or verification. This vulnerability may allow bypassing the intended limit on the number of tokens that can be created.

Step 2: Exploitation

The vulnerability is triggered by a malicious transaction constructed by the attacker. This may require changing parameters, executing specific functions, or exploiting unforeseen connections between various code segments.

Step 3: Infinite Mining and Token Dumping

The vulnerability allows the attacker to issue more tokens than the protocol architecture intended. This flood of tokens could lead to inflation, which would reduce the value of the currency associated with the token and could cause losses to various stakeholders, including investors and users.

Token dumping refers to the practice of an attacker rapidly flooding the market with newly created tokens and then exchanging them for stablecoins or other cryptocurrencies. The value of the original token drops dramatically due to the unexpected increase in supply, causing the price to plummet. However, the tokens are sold before the market has a chance to benefit the attacker.

III. Consequences of an unlimited minting attack

Unlimited minting attacks can lead to rapid depreciation of token value, financial losses, and ecosystem damage.

Unlimited minting attacks can create an unlimited number of tokens or cryptocurrencies, causing the affected assets to depreciate immediately and causing huge losses to users and investors. This can undermine confidence in the affected blockchain network and its connected decentralized applications, thereby damaging the integrity of the entire ecosystem.

In addition, by selling tokens before the market has fully reacted, the attacker can make a profit and may leave others holding worthless assets. Therefore, if the attack leads to a liquidity crisis, investors may find it difficult or impossible to sell their assets at a fair price.

For example, during the December 2020 Cover Protocol attack, investors holding COVER tokens suffered financial losses when the token’s value dropped from over $700 to less than $5 in a matter of hours. More than 40 quadrillion tokens were minted by hackers.

A collapse in the value of a token could disrupt an entire ecosystem, including decentralized applications (DApps), exchanges, and other services that rely on the token’s stability. Attacks could lead to legal issues and regulatory scrutiny of projects, resulting in fines or other penalties.

IV. Infinite Minting Attacks and Reentrancy Attacks

Infinite minting attacks aim to create an unlimited number of tokens, while reentrancy attacks use a withdrawal mechanism to continuously consume funds.

Infinite minting attacks exploit flaws in the token creation process to produce an unlimited supply, thereby depressing the value and causing losses to investors.

Reentrancy attacks, on the other hand, focus on the withdrawal procedure, allowing the attacker to continuously drain funds from the contract before the contract has a chance to update its balance.

While any attack can have disastrous consequences, understanding the difference is critical to developing effective mitigation techniques.

The main difference between an infinite minting attack and a reentrancy attack is:

V. How to Prevent Infinite Minting Attacks in Cryptocurrency

By emphasizing security and taking precautions, cryptocurrency projects can greatly reduce the likelihood of becoming the target of an infinite minting attack and protect the investments of community members.

A multifaceted strategy that prioritizes security at every stage of a cryptocurrency project is needed to prevent infinite minting attacks. Thorough and frequent smart contract audits by independent security experts are essential. These audits carefully examine the code for flaws that could be used to mint an unlimited amount of tokens.

Strong access controls must be implemented; minting rights should only be granted to authorized parties; multi-signature wallets should be used to increase security. Real-time monitoring tools are essential to quickly respond to possible attacks and identify any strange trading patterns or sudden surges in token supply.

Projects should also have strong backup plans, ready to quickly handle any possible attacks and minimize losses. This requires maintaining open channels of communication with exchanges, wallet providers, and the community at large to anticipate possible issues and develop solutions.