After launch of Pixel Inc, everyone was having fun painting on the canvas until Mudit messaged me. He had found a major issue.
The Pixel contract includes BoringBatchable, allowing to make several calls on the same contract in a single call.
When painting on the canvas, the payment is checked by checking msg.value.
By using Batchable to make multiple calls to paint, the same msg.value sent is used to pay for each call.
This allowed for unlimited minting of PIXEL tokens and drain all MATIC out of the contract.
In response we took the following actions:
- The MATIC earned by the team that was sitting on the contract is withdrawn.
- Most of the liquidity of the SushiSwap pool was until team control and was removed. Now less than $200 remains from 2 LPs. They should withdraw this.
- The UI was updated and the canvas is now ‘locked’. A snapshot of the canvas is taken and will be uploaded in the new contract.
- A snapshot of the PIXEL token balances was taken and these will be used to issue new tokens.
We’ll redeploy both the canvas and a new PIXEL token will all the same balances. User don’t have to do anything. Once this is done we’ll announce a date and time the canvas will unlock and we’ll continue where we left off.
A massive thanks to Mudit for finding and reporting this! And a thanks to the community in supporting this project and please bear with us while we get this show back on the road…
Update 1: All data (PIXEL balances, the canvas data, ambassador program info) has been extracted. Fixed contract is mostly done. Time for a nap as it’s 7am and I’d like to write the redeployment with a fresh mind. If all goes well we should be back up and running within a day.
Update 2: Full replicated deployment is live on the Polygon Testnet and the current site points to that. Currently loading the replicated state into Polygon mainnet. If all goes well this will take about 2 hours.
Update 3: Everything has been restored, canvas unlocks in 30 minutes.