QiDAO DeFi protocol loses $13 million in hack

QiDAO protocol for issuing stablecoin on the Polygon network reported a breach of the authorization-transfer smart contract that used code from the Superfluid cash-flow management platform.

Superfluid’s vesting contract for QI has been exploited.

User funds on QiDao contracts remain safe. The exploit is solely on Superfluid.

We will release an update when we know more.

— Qi Dao (@QiDaoProtocol) February 8, 2022

According to blockchain-security firm SlowMist, the hacker siphoned off about $13 million in various coins, including USDC, WETH and the DAO governance token of the QI protocol.

3) We will continue to monitor the movement of stolen funds. #Superfluid #QiDao pic.twitter.com/RLk9Dc5cI5

— SlowMist (@SlowMist_Team) February 8, 2022

According to a statement from the QiDAO team, user funds were not affected. The incident affected assets of early investors and some “other tokens”.

The project temporarily paused cross-chain bridges and began investigating the incident.

1/2

Quick Update. We’re still assessing the situation.

— We can confirm that all funds in QiDao are safe.
— No user funds have been affected.
— We’re aware there are other tokens affected.
— We’ll update the community when we learn more.
— Qi bridging is temporarily paused.

— Qi Dao (@QiDaoProtocol) February 8, 2022

After the funds were withdrawn, the attacker began mass-selling QI tokens on the primary exchange listing for the Quickswap asset, driving the price down by 68% to $0.18.

#Slippage $QI #QiDAO price dropped -68.05% #Polygon https://t.co/CozWr2kwOZ pic.twitter.com/3Fef1PTG4A

— PeckShieldAlert (@PeckShieldAlert) February 8, 2022

As of writing, the asset’s price had recovered to around $0.70.

“We value the support from both our community and the DeFi ecosystem at large,” the protocol team wrote on Twitter.

QiDAO enables issuing a US-dollar-pegged stablecoin MAI backed by crypto assets, in a manner similar to the Ethereum-based project MakerDAO.

Earlier in February, hackers withdrew 120 000 WETH — over $319 million at the time of the breach — from the Wormhole cross-chain protocol built on Solana.