On April 5, 2021, Polkatrain, a decentralized fundraising platform operating in the Polkadot ecosystem, suffered a rebate arbitrage attack resulting in the loss of $3 million.
The attack was detected by blockchain ecosystem security platform SlowMist, indicating that the hack targeted Polkatrain contract with swap functionality and rebate mechanism dubbed POLT_LB.
The analysis adds that the attackers took advantage of the flaws in the system’s update function.
In this case, when users purchase the Polkatrain native token PLOT, they are eligible for a certain amount of rebates. The system’s design sends the rebates through the transfer function, where the update function takes over.