Cover Protocol Infinite Mint

On December 28, 2020, the DeFi insurance protocol Cover Protocol suffered an infinite-mint exploit that produced over 40 quintillion COVER tokens from its Blacksmith liquidity-mining contract. The token price collapsed from ~$700 to under $5 within hours. The attacker — Grap.Finance, claiming a white-hat motivation — returned all funds with a public message reading "Next time, take care of your own shit." Total drained and returned: ~$9.4M.

What happened

Cover's Blacksmith contract handled liquidity-mining rewards: users staked LP tokens and accrued COVER rewards over time. The contract tracked each user's reward debt using a state variable that compared current pool state against the user's last-claimed checkpoint.

The bug lived in how Solidity handled memory versus storage references for a critical state variable used in the reward calculation. Specifically: the contract assigned a struct from storage to a memory variable, modified the memory copy, and assumed the changes would persist — but in Solidity's semantics, a memory copy is a separate value that does not write back to storage automatically.

The attacker realised the bug allowed them to trigger reward accruals against stale state repeatedly — each call accumulating additional COVER rewards as if the previous claim's state mutation had never been written. By looping the operation, they minted 40,000,000,000,000,000,000 (40 quintillion) COVER tokens, completely overwhelming the legitimate supply.

Aftermath

• The COVER token crashed approximately 97% within an hour as the freshly-minted supply was sold via 1inch and other DEX aggregators.
• Binance suspended COVER trading within hours of the exploit.
• The attacker — Grap.Finance, a separate DeFi project — publicly claimed responsibility via Twitter, asserted the attack was a white-hat demonstration, and returned all stolen funds to a Cover-controlled multisig.
• The Grap.Finance message — "Next time, take care of your own shit" — became a quoted moment in DeFi security culture and was widely cited as an example of white-hat operations as community accountability.
• Cover Protocol announced a token migration to a redesigned contract with proper memory/storage handling; the project never fully recovered its pre-incident market position and was eventually acquired by Yearn Finance.

Why it matters

The Cover incident is one of the cleanest cases for how Solidity's memory/storage semantics are a perennial source of high-impact bugs. The language's separation of storage (persistent, costs gas) and memory (transient, cheaper) is essential for efficient contracts, but the type system does not warn the developer when assigning a storage struct to a memory variable produces a copy rather than a reference. Bugs of this class have produced exploits at:

• Cover Protocol (Dec 2020) — infinite mint.
• bZx (Sep 2020) — related memory-handling bug in flash-loan logic.
• Multiple smaller incidents across 2021-2024.

The defensive responses include:

• Static analyzers (Slither, Echidna) that flag suspect storage-to-memory assignments.
• Linting rules requiring explicit storage or memory keywords on every reference.
• Formal verification of state-mutation invariants.

The Grap.Finance response also established a pattern that became more common over time: other DeFi projects acting as informal security police by exploiting bugs in protocols and returning the funds, partly as PR and partly as a genuine attempt to demonstrate vulnerabilities before malicious actors could exploit them. The pattern is contested — it normalises "compromise first, ask later" — but it has demonstrably saved real money on multiple occasions.