Mean is back!
It’s been a while since our last post, so let’s take a second to do a quick recap.
About a month ago, a whitehat submitted a report through ImmuneFi detailing how a potential hacker could create and use a poisonous token to access user funds. At that moment we validated the report and paused all the contracts. This meant that users could no longer make deposits or execute swaps (withdrawals were available at all times).
The problem itself was quite easy to fix but, as you might have realized, we didn’t re-deploy immediately. We do our best to put security first, so we decided to delay the relaunch and set up a bug bounty on ImmuneFi with the patched version of the code. We wanted to give whitehat hackers the possibility to report any other vulnerabilities before re-deploying. After a week or so, we decided to increase the bounty to attract more shadowy super coders and get more eyes into the code.
It’s relaunch time!
Almost three weeks have passed since the bug bounty was first announced, and no critical issues have been reported. So let’s go over what we’ve done all this time, and what’s new in this new version:
Changes to the smart contracts
First and foremost, we fixed the reported vulnerability. The previous attack is no longer possible.
A whitehat reported that, in some cases, users could end up with a few less swapped tokens that expected. This could happen when users created a position with specific tokens (that had few decimals). We checked and no users had been impacted by this in the previous version, but we fixed it for the relaunch.
This is probably the most controversial of the changes we’ve made. In the previous version, Mean Finance would automatically work with all ERC20 tokens. We have now implemented an allow list that controls which tokens can be deposited or swapped.
Like we said before, security is our first priority. We want to be as open as possible, but we need to put our users’ safety first. We decided that we wanted to be able to perform some due diligence before adding support for a token, even if that means that new integrations might slow down a little.
Why are we doing this? We want to prevent the use of poisonous tokens, but we’ve also seen that some real and popular tokens can be used to attack protocols. Like:
- Double entry ERC20s like TUSD & SNX
- Tokens with extreme volatility like LUNA
- Tokens with low liquidity on Uniswap Oracles, like VUSD & others
This change will allow us to investigate new tokens before adding them to Mean Finance, and prevent scenarios like the linked before.
And if you want Mean to support a new token, just come to the #new-token-request channel on our Discord and we will try to add support for it as soon as possible.
We’ve been busy working not only on the smart contracts, but also gathering feedback from the community to bring a whole new UI into fruition. Now it will be easier to understand and use Mean for OGs and new Meaners 😎
The relaunch starts with Optimism, and Polygon will be following a few days after. But then… you will see Mean in some new and exciting places
Since Mean started, the community has been asking for the ability to combine DCA & Yield together. We are happy to announce that we are currently working on making this a reality. When you ask?