Thursday, 7 November 2024
Trending

Crypto News

Avalanche flash loan exploit sees $371K in USDC stolen

Avalanche flash loan exploit sees $371K in USDC stolen


Avalanche-based lending protocol Nereus Finance has been the victim of a crafty hack that saw a user net $371,000 worth of USD Coin (USDC) using a smart contract exploit.

Blockchain cybersecurity firm CertiK was one of the first to detect the exploit on Sept. 6, indicating that the attack impacted liquidity pools on Nereus relating to decentralized exchange Trader Joe and automated market maker Curve Finance.

CertiK also suggested that underlying protocols themselves were impacted, however, Curve Finance responded via Twitter on Sept. 7, stating “maybe you meant ‘assets impacted,’ not ‘protocols impacted’. Only @nereusfinance and its assets seem impacted.”

On Sept. 7, Nereus Finance released a detailed post-mortem of the incident explaining an “exploiter” was able to deploy a custom smart contract that utilized a $51 million flash loan from Aave to artificially manipulate the AVAX/USDC Trader Joe LP (JLP) pool price for a single block.

As a result, the anonymous hacker was able to mint 998,000 worth of Nereus’ native token NXUSD against $508,000 worth of collateral. They then swapped this capital into different assets via various liquidity pools and managed to walk away with a net profit of $371,406 once the flash loan was returned. 

The incident ended with to the creation of $500,000 of NXUSD “bad debt” in the NXUSD protocol.

The Nereus team says it was quick to remedy the situation; after consulting security experts, developing a mitigation plan, and notifying law enforcement, they liquidated and paused the exploited JLP market.

The bad debt was reportedly paid off using NXUSD from the team’s treasury.

According to Nereus, the exploit resulted from a “missed step” in the price calculation, resulting in the opportunity to be exploited. However, it stressed that “no users funds are at risk, and NXUSD continues to be over collateralized” and the “Lending and Borrowing protocol was not affected by this exploit.”

Nereus is also confident the same exploit won’t be possible a second time, as the team will be  amending its “audit and security practices in order to ensure these types of events do not occur in the future,” noting:

“While this exploit is a bad incident — it’s not uncommon for protocols to face these types of battle tests.”

As of this…

Click Here to Read the Full Original Article at Cointelegraph.com News…