White Hat Hacker Exposes Flaws in El Dorado DEX
When new projects are launched in web3, users should always proceed with caution. These projects may have code that’s not fully hardened and may not have received sufficient scrutiny prior to launch.
Recently, an attacker was able to steal $580,000 worth of tokens from the new El Dorado Exchange. The theft highlights how important it is to do your own research (DYOR) before investing your time or money. Given that El Dorado is a legendary city of gold somewhere in the Americas that no one ever found, perhaps users should have been more on guard in scrutinizing this particular project.
What is the El Dorado exchange?
The El Dorado DEX began in September 2022 and launched its token, EDE, in December. The project’s founders describe El Dorado as a permissionless, non-custodial cross-chain marketplace and platform, aiming to create something like Uniswap, only better.
As described in its white paper, El Dorado is built on the decentralized liquidity protocol Maya, a fork of the Layer 1 solution THORChain. Lauding the benefits of decentralization, the founders state goals that include making their platform the top destination for Maya users and generating income from swap fees and node operations.
El Dorado’s plans appear exciting and ambitious in their documentation, proclaiming they will become “the central development hub for Maya Protocol and its upcoming Aztec chain.”
“The scope of the project includes but is not limited to becoming Maya and Aztec’s:
- Primary Native DEX
- Decentralized Lending and Borrowing Hub
- Funding Mechanism (Launchpads may not be referred to as Launchpads in the next cycle, we are planning to call our Funding Mechanism/Launchpad a “Fair Launcher”)
- VC Entity (with enough success, El Dorado will grow a venture arm to fund projects)”
In spite of the bold proclamations in their founding document, the way El Dorado built their platform would soon lead to an embarrassing hack.
The white hat exploit
On May 29, 2023, an attacker discovered a backdoor that developers had installed in El Dorado’s code, which enabled them to manipulate token prices on the platform and to withdraw any user’s tokens. The attacker left a note confirming that they had used the flaw to increase the token’s price and subsequently sell $580,000 worth of tokens.
The price spiked as the attacker posted ever higher prices, after which the attacker sold the tokens at the elevated price. The attacker left a note in the Arbiscan data page for the transaction, explaining how they’d accomplished the theft. The note contained a troubling allegation against the El Dorado team–that the developers had intentionally installed a backdoor to steal users’ funds.
PeckShield was first to notice that El Dorado had been hacked. The blockchain security firm tweeted out the hacker’s comments, asking the El Dorado team to explain themselves.
PeckShield also took note of the 3-day-long smart contract audit of El Dorado’s blockchain conducted by Lunaray Technology back in March, several months prior. If the code had been audited, how had this problem gone unnoticed?
The attacker proclaimed their actions a white hat operation. They promised to return all but 10% of the stolen tokens–retained as their fee for uncovering the problem–if the developers would admit they had installed the backdoor.
It seemed like a setup for a rug pull operation, with code that enabled the developers to withdraw funds on the platform. In June ‘23, EDE was trading under 50 cents, down from its height of over $15 achieved in February ‘23.
How was the hack accomplished, technically? As Numen’s analysis found, El Dorado’s team built an updateWithSig function into its oracle contract that didn’t require authentication, as it normally would. This allowed the attacker to directly change token prices. Numen also noted that the contract wasn’t open source, making it more difficult for users to view the code and discover the problem.
El Dorado and their auditor’s responses
The project’s founders replied to the attacker with a message that satisfied the white-hat attacker and led to the return of funds:
“Yes we acknowledge that we made an ill-advised decision to manipulate the price. However our intention was to blacklist those who had previously exploited the system, fully aware that all transactions are recorded on the blockchain. We did not aim to misappropriate users [sic] funds as this would leave a traceable record. We will promptly remove the problematic bomb contract.”
In response, the attacker returned all but $100,000 worth of tokens, retaining that as a ‘fee’ for uncovering the vulnerability.
Lunaray noted that the code containing the flawed updateWithSig was not included in the scope of its March audit. Lunaray tweeted later that same day that this area was “left behind during the official update of features” but that the problem was now fixed.
The community reacts
While the El Dorado team’s response satisfied the attacker, the web3 user community response wasn’t as favorable.
Here are a few typical reactions, from a crypto Reddit thread about the hack:
Regardless of their intentions, the El Dorado developers admitted that they put the backdoor in place deliberately. They also used closed-source smart contracts, rather than open-source ones. Those are both warning signs.
Spotting El Dorado’s red flags
Was it that hard to spot the problems at El Dorado? No. Even someone without coding knowledge could pick up on some issues from reading through the project’s white paper.
One is that El Dorado’s developer team all go by pseudonyms: Coronado, OxLeifErickson, OxMagellan, Vasco, and Yucatan Larry. These founders vaguely claim decades of relevant experience on the white paper’s Team page, without naming any previous projects. If you search on these handles, you get few results. Their Twitter handles show anime gifs, not real faces. Coronado joined Twitter in April 2023, OxLeifErickson last fall. If they’d used their backdoor to do a rug pull, it would have been easy for them to disappear.
3 Lessons of the El Dorado exploit
What can you take away from the El Dorado exploit that will help you avoid getting ripped off? The major point is that it’s important to research any project you’re thinking about getting involved with or buying tokens from.
Our top three tips from El Dorado:
1. Intent doesn’t matter as much as fundamentals.
Whether the El Dorado team was planning a rug pull or had good intentions, the effect is the same: users were at risk of theft. What matters are the project’s fundamentals: the quality of the team and their code, their track record in running successful web3 projects, and whether their white paper seems to promise the moon or appears executable.
2. Seek open-source smart contracts.
El Dorado wasn’t using open-source smart contracts, creating a lack of transparency that enabled the back door to more easily lurk in the code without immediate detection by the community. The lack of open-source code made it more work to examine, but the white hat attacker was still able to find the problem.
Other users could have done the same, but instead the vulnerability was in place on an active DEX for months before it was detected. It was just luck that users didn’t have their funds stolen sooner, whether by the founders themselves or by a black hat attacker.
3. Audits don’t catch everything.
It’s a common practice that not all of the code is included in a smart contract audit. That was the case here–the part of El Dorado’s DEX with the backdoor wasn’t part of Lunaray’s audit. Diligent users could have noted what wasn’t audited and examined those parts of the code themselves.
DYOR to avoid getting scammed
Despite its recent hack and the revelation that the team installed a back door, El Dorado has forged ahead. Just weeks after the late-May white hat attack, El Dorado announced plans for a $500,000 funding raise. If successful, the raise would grant 10% of El Dorado’s value to investors at a valuation for El Dorado of between $6M-$7M.
A close reading of its fundraise prospectus released in mid-June ‘23 only raises more suspicion. It indicates that because DEXs are gaining in popularity and THORChain has been successful, users can conclude that Maya will be an even bigger success–and by association, El Dorado as well. In reality, any number of problems could prevent El Dorado’s success. There’s no disclosure or discussion of possible risks in El Dorado’s business model, as would be routine in a traditional IPO prospectus.
El Dorado promises a long list of investor perks including a physical token made by Foundry. But it offers few details of how the project will fulfill its goal of capturing over 50% of Maya’s swap volume, among the many competing projects vying for that traffic.
There are plans to build a large social audience, on which El Dorado has thus far made only small inroads–under 1,000 Twitter followers versus the 10,000 the prospectus envisions. In addition, “our UI/UX revamp is in the works to create an interface experience richer than anything that currently exists, with exquisite digital art and an unmistakable, City of Gold look and feel.” It’s unclear how beautiful digital art will guarantee the project’s success. Many great-looking platforms have failed in the history of web3.
They’ll also “begin business development, networking with new teams and projects that we will incubate and launch on Maya’s upcoming Aztec programmable L1 (in anticipation of the chain launching this summer).” There are no details describing any of those projects.
El Dorado is “not a pitch deck with an idea for a product,” the prospectus states, because their marketplace is live. But on a recent visit, only two coins could be swapped, THORChain and Maya’s native coins $RUNE and $CACAO. It appears El Dorado is not yet the cross-chain marketplace it aspires to become.
If El Dorado’s pitch strikes you as a bit pie in the sky–like finding a lost city of gold–then research closely before you invest time or funds here.
For another in-depth analysis of a web3 attack and more tips on how to safeguard your crypto, check out Dragonscale’s teardown of the Monkey Drainer phishing scam.