Polygon stablecoin QiDAO exploited for $13M on Superfluid vested contract

Polygon’s native stablecoin protocol QiDAO faced an exploit on its Superfluid vesting contract leading to a 65% drop in the price of the governance token QI. QI price fell from $1.24 to $0.18.

QiDAO took to Twitter on Tuesday to acknowledge the exploit on the Superfluid vesting contract but assured that users' funds are safe and no funds from QiDAO have been affected. Superfluid also confirmed the exploit on QiDAO and said they are investigating the situation and will update accordingly. The protocol enables users to move assets on-chain in a constant flow in real-time from one wallet to another.

Today at 6.48am GMT we were notified of a potential exploit of the QiDAO vesting contract that leverages Superfluid code. We are investigating the incident and will keep you updated in this thread and our Discord server.

— Superfluid (@Superfluid_HQ) February 8, 2022

While there was no impact on the user’s funds, the hackers behind the attack managed to get away with $20 million worth of tokens including 24 WETH, 562,000 USDC, 44 SDT, 1.5 million MOCA, 23,000 STACK and nearly 40,000 sdam3CRV. Early information suggested that the stolen funds belonged to some of the early backers of the project and included team vested tokens as well.

Crypto analytic group SlowMist created a fund tracker with the balance of each token stolen. After analyzing the wallet transaction data, they estimated that the hackers managed to steal about $13 million worth of cryptocurrencies.

The hackers behind the attack started dumping stolen QiDAO on Quickswap DEX with high slippage, leading to a 65% decline in the price of the governance token. The Polygon community took the opportunity to buy the dip which has already helped the governance token reach up to $0.6 after falling below $0.18. It is important to note that the exploit was carried out using a vulnerability in Superfluid, and QiDAO wasn’t exploited.

Contract for $QI under superfluid was exploited (only funds from early investors locked are exploited) All vaults are safe. Funds are safuBought the dip/exploit, strong team + strong fundamentals, will buy the whole freaking pool if not for liquidity issue. https://t.co/NDBm3cNzxo

— Jasper (@JunHao_yo) February 8, 2022

QiDAO had temporarily paused its bridge after the exploit and hoped to resolve the issue soon. The exploit comes within 24 hours of Polygons’ $450 million fundraise, however, the community showed immense support in the native stablecoin protocol and stressed that it was because of the third-party vulnerability rather than an issue with stablecoin protocol.

Poly Network hacker returns nearly all funds, refuses $500K white hat bounty   Aug. 12, 2021
Furucombo to issue iouCOMBO tokens to repay victims of $15M exploit   March 9, 2021
Polygon upgrade quietly fixes bug that put $24B of MATIC at risk   Dec. 30, 2021
Inverse Finance exploited again for $1.2M in flash loan oracle attack   June 17, 2022
Once-hacked for $77M, Beanstalk's algo stablecoin protocol relaunches   Aug. 8, 2022