The dYdX decentralized derivatives exchange has warned of a vulnerability found in a “newly deployed smart contract.” The project team reported that user funds are safe, and the error has been promptly resolved.

At 05:21 UTC today the dYdX team was alerted of a security issue with a newly deployed smart contract ❗If you have set allowance to deposit to https://t.co/1WbZbCpiuX since Wednesday 11/24 read for important recovery information❗ NO FUNDS WERE LOST AND ALL FUNDS ARE SAFE 🔒 – dYdX 🦔 (@dydxprotocol) November 27, 2021

Probably, we are talking about a smart contract responsible for “gasless” deposits of stablecoins USD Coin (USDC) and swaps of certain ERC-20 tokens to USDC through API liquidity aggregator 0x. The platform added this feature on November 24, after the incident, access to it was temporarily restricted.

The error was discovered by a white hacker nicknamed Samczsun. The potential exploit affected 700 addresses containing tokens worth about $ 2 million. As part of the vulnerability remediation procedure, these assets were transferred to an escrow contract address.

samczsun saves the day again pic.twitter.com/eozlcDnRZf – banteg (@bantg) November 27, 2021

Only users who, after November 24, allowed the platform to spend funds from their wallets, were affected. To recover assets from the escrow contract address, you must independently initiate the procedure from the relevant wallet.

Users affected by the incident will see a notification when they go to the platform website. Funds can be recovered at any time.

Paid 20 $ for unset USDC. pic.twitter.com/1SEs9GvwX9 – Yekta. (@yekovski) November 27, 2021

The project team promised to publish full information about what happened when the affected users return their funds.

As a reminder, in September, dYdX developers discovered an error in the staking pool smart contract for the DYDX control token.

