We have received a report for XYK pool exploit where owner of a pool with either infinite supply of a token or big supply of 2 legit tokens would create a small pool and would fish for big liquidity provider to add liquidity, frontrun liquidity add to change price significantly and then re-shuffle the price back to original.
This could potentially lead to value extraction, albeit if done with legit token, it is not risk-free for the attacker.
This is also not something that would happen on Hydration in any normal circumstance. The attack resembles more of a pump and dump scenario and as such we would like to warn all the users LPing or swapping the "degen mode" that it is a high risk activity, always DYOR.
Given all the circumstances, we don't see this as something that is viable to perform on Hydration, but nevertheless, we have decided to fix this completely and reward the hacker with medium level finding.
Reward 5k$ in HDX 7d Average at 0.01381~
There is a new function that have extra limit to protect XYK LPs from these kind of attacks.
https://github.com/galacticcouncil/hydration-node/pull/1074
After checking, this is a proposal initiated by the team.
But in order to improve the efficiency of proposal voting and urge identity authentication, I voted against it
There is a lot of room for optimization in identity authentication