Recently, Madness encountered a serious incident related to the Stake feature, where several wallets exploited a vulnerability to manipulate the APR.
Below are the full details of the exploit process, estimated damages, and the resolution plan.
1.Exploit Process
Initially, certain "whale" wallets staked a large amount of $MON like regular users over a period of time in order to accumulate massive rewards. Later, they withdrew both their principal and rewards in a short timeframe, which caused the APR to spike significantly. A number of clone wallets then staked small amounts to take advantage of this abnormal APR.
Finally, the whales re-staked their funds to normalize the APR, but by then, the clone wallets had already made significant profits through this manipulation.
2.Estimated Damage
The total estimated damage is 886,519 MON, affecting approximately 36,860 users (data provided by the Monad team).
3.Remediation and Reimbursement
Plan Due to the exploit in the Stake contract affecting APR calculations, all previously accumulated rewards will be invalidated. We will only reimburse users with the original amount they initially staked.
All lost assets will be compensated based on the following $MON conversion rates:
MON, APR MON, sMON, ShMON, gMON → 1:1 ratio to MON
Yaki = 0.0018 MON
Dak = 0.3049 MON
CHOG = 0.0229 MON
NOTE: Balances > 5000 MON were just refund 5000 MON.
Reimbursement logic:
If total deposit (in) > total withdrawal (out): your wallet will have a positive balance, and we will reimburse the full positive amount.
If total deposit (in) < total withdrawal (out): your wallet will have a negative balance, and no reimbursement will be made.
Example:
You deposit 1,000 MON, then earn 100 MON in rewards and withdraw the full 1,100 MON. The system records: in = 1,000, out = 1,100 → balance = -100. Then you stake another 1,100 MON. The system will treat it as only 1,000 MON being staked (after deducting the -100 balance). This logic serves as the basis for our reimbursement.
4.Lessons Learned & System Improvements
This incident has provided us with critical insights. We are currently reinforcing and improving the system to ensure stronger protection before the official launch.
While the Monad Foundation has generously supported adjustments for this testnet incident, it’s important to highlight that such support will not be extended on mainnet. All teams are expected to conduct thorough testing and take full responsibility for their deployments moving forward.
Once again, we extend our sincere gratitude to the Monad team for their dedicated support in helping us resolve this issue.
Sincerely, The Madness Team