# MonoX 31 Million Exploit By [Arsen](https://paragraph.com/@arsen-5) · 2024-10-16 --- The root cause of the exploit was that during the `swapExactTokenForToken` attacker inputed the `tokenIn` and `tokenOut` as the same tokens. The main purpose of this function is to deposits MONO(\*token that plays crucial role during the exploit) tokens into the pool. ![](https://storage.googleapis.com/papyrus_images/7bb89b48c933fe7404558ab81b7fe51426f3a95724ea0329fd2680d332954977.png) Let’s move forward into the swapIn function. The main thing to concentrate here, is prices. And where do the prices are calculated? Right, in the getAmountOut. ![](https://storage.googleapis.com/papyrus_images/cfbf46787299585da8c32af42b80c13d57d35db044c5e787616c00430c50f0f0.png) Following the getAmountOut function, we discovered that the `_getNewPrice` function is used to calculate the `tokenInPrice` and the `tokenOutPrice`. When `tokenInPrice` is calculated, one of the param. the flag “_TxType.SELL”_ is passed When `tokenOutPrice` is calculated, one of the param. the flag “_TxType.BUY”_ is passed ![](https://storage.googleapis.com/papyrus_images/c164f48d3a3297584a214c4b47e1d77dce7f66a6603ddf7d5c350cb00f000bde.png) The `_getNewPrice` is calculated both for `tokenIn` as well as for `tokenOut`. Because the four variables in the price calculation formula are the same, the incoming and exiting tokens are the same. We can now assume that `tokenOutPrice` will be greater than `tokenInPrice`. So, let’s move forward in the `swapIn` function. Because `tokenIn` and `tokenOut` are the same, the `_updateTokenInfo` function will be called 2 times. ![](https://storage.googleapis.com/papyrus_images/29320ca4c11de66b0386eb042dca0f467fdd41ce672779efa3224efec3626cf0.png) Remember! Above we have stated that `tokenOutPrice` will be higher than `tokenInPrice`! What does it mean? Correct! During the second `_updateTokenInfo` the price will be increased. ![](https://storage.googleapis.com/papyrus_images/348f5fc0b40a24f8f133360df4f3b8b46d5550a6d2a28b6149907ac837cab250.png) So, after the price is updated to the higher value, attacker call `swapTokenForExactToken`, compare to the function that we start the attack from (`swapExactTokenForToken`), it does the stuff vice-versa, swap MONO for other tokens in the pool. ![](https://storage.googleapis.com/papyrus_images/147d7ebf0f8cd1dbd479741c56789988423cea389e01766690172857992b7798.png) Eventually, to get the price of swapping, the `swapOut` is called. Here we could see the final results and the reason why the MONO token was “pumped” recently. It causes the amountIn to become very small, it means “we take less MONO token to receive enough value of other assets”. ![](https://storage.googleapis.com/papyrus_images/af05eec067370274cbf6dba631419a6d55c4493676b3137216fc39fd7d150f13.png) The hacker exploited a vulnerability in the MonoX protocol, where the same token was used for both the tokenIn and tokenOut functions. By utilizing the same token in the swapTokenFORExactToken function, the price update for tokenOut bypassed the price update for tokenIn. This caused the price of the MONO token to rise sharply, allowing the hacker to use it to acquire the majority of assets within the protocol. This educational article is based on the SlowMist writeUp * [https://slowmist.medium.com/detailed-analysis-of-the-31-million-monox-protocol-hack-574d8c44a9c8](https://slowmist.medium.com/detailed-analysis-of-the-31-million-monox-protocol-hack-574d8c44a9c8) --- *Originally published on [Arsen](https://paragraph.com/@arsen-5/monox-31-million-exploit)*