This is a story that ended pretty well... thanks to... me.
But i could also prevent it entirely.
Let's start from the beginning.

Avoteo is a project that has been presented on a local italian group i were in.. as always, if the contract is available i go to check it.

During my usual DD... i've noticed something very cool, they've been audited by Certik!

That's kinda nice to have before the launch, so i was convinced i was losing my time checking it... yeah... sure krako.

image

there's a swap system here, so my eyes just gone there..

image

"BRO WTF!!! this is going bad!"
I've said... it's clearly a wrong move, who the hell would put a nonReentrant when there is a swap system?!?!?

Then my jaw dropped.
My hero has fallen.

image I've studied on those audits... and that audit is the reason of the problem.
No.. impossible.
I'm missing something, they cannot have introduced a bug by fixing a report from Certik.
I must be wrong, after all i'm still a newbie.

So i've set a note, 3 months before the launch.
"Watch the break of Avoteo".

let the world burn, sometimes

I was sure but not that sure to go warn the Avoteo team and insult Certik.
So i waited...
Until i got proof of my analysis.

image

Oh shit.
I was right!!!!
FOCK!
This is soooo wroooong, their swap system is USELESS.

I've waited some minutes to enjoy the pure hell in their group & to see if some dev could find the problem, then i've instantly wrote to the team and they disabled the swap image

All was working again and they enjoyed the later night.

What we learned

  • Do not trust one single audit firm, they're humans after all.
  • If you want to make your protocol safe, do multiple audits from different firms
  • Always check your code
  • Ask someone to check your code
  • Trust your fucking knowledge
  • Write tests
  • DO PROOF OF CONCEPTS! This was the key that could give me the confidence to warn the team.
  • You can transform into a God for a small group of peoples for a very short period of time

PS: their contract broke again some months before on the previous version...
because someone sent tokens to the pair, fixed by calling sync()
They asked 4 devs... none of them found the problem.
I've found it in some minutes.
Proof Of Experience.

The Avoteo team handled everything with professionalism and no funds has been lost during this journey.
o/