An unknown actor exploited a vulnerability in the DeFi protocol Team Finance and siphoned cryptocurrency assets worth $15.8 million.
1/ @TeamFinance_ was exploited in https://t.co/9s5lLx7EOr,
leading to the loss of ~$15.8M for the protocol: $11.5M (V2_USDC_CAW)+$1.7M(V2_USDC_TSUKA)+0.7M(V2_KNDX_WETH)+1.9M(V2_FEG_WETH). @trustswap https://t.co/7r1F0J6ATv— PeckShield Inc. (@peckshield) October 27, 2022
According to PeckShield researchers, the attacker exploited a bug in the token migration function. He moved real liquidity from Uniswap V2 into new pairs on the protocol’s third version with a skewed price, returning “huge profits.”
2/ The protocol has a flawed migrate() that is exploited to transfer real UniswapV2 liquidity to an attacker-controlled new V3 pair with skewed price, resulting in huge leftover as the refund for profit. Also, the authorized sender check is bypassed by locking any tokens. pic.twitter.com/G2QVNU7DgU
— PeckShield Inc. (@peckshield) October 27, 2022
To carry out the attack, he needed only 1.76 ETH worth about $2,730 at the time of writing. The attacker transferred the funds from the automated crypto-exchange FixedFloat.
As a result the unknown actor withdrew from Uniswap V2:
- ~$15,4 млн in Hunters Dream (CAW) tokens;
- ~$1,7 млн in Dejitaru Tsuka (TSUKA);
- ~$2,6 млн in WETH.
The Team Finance team confirmed the incident and said that the exploited function had undergone an audit. The developers began an investigation and invited the hacker to discuss returning funds in exchange for a bounty.
“We are temporarily suspending all operations through Team Finance until we are confident that the exploit has been fixed. All funds currently in the protocol are not at risk from this vulnerability,” the team said.
We have just been alerted of an exploit on Team Finance.
We are currently unsure of the details.
We urge the exploiter to get in contact with us for a bounty paymentWe are working to analyze and remedy the situation at this very moment.
More details to follow
— Team Finance (@TeamFinance_) October 27, 2022
As reported in Mango Markets incident, on October 12 attackers drained the trading and lending DeFi platform Mango Markets of digital assets worth about $116 million, by manipulating oracles. One of the attackers, Avraham Eisenberg, described the actions of the group as a legitimate execution of a high-earning trading strategy.
The Mango Markets community approved an agreement under which the hackers will return $69 million and keep $47 million as a bounty.
Follow ForkLog’s Bitcoin news in our Telegram — cryptocurrency news, prices and analysis.