Polygon stablecoin QiDAO exploited for $13M on Superfluid vested contract

Published at: Feb. 8, 2022

Polygon’s native stablecoin protocol QiDAO faced an exploit on its Superfluid vesting contract leading to a 65% drop in the price of the governance token QI. QI price fell from $1.24 to $0.18.

QiDAO took to Twitter on Tuesday to acknowledge the exploit on the Superfluid vesting contract but assured that users' funds are safe and no funds from QiDAO have been affected. Superfluid also confirmed the exploit on QiDAO and said they are investigating the situation and will update accordingly. The protocol enables users to move assets on-chain in a constant flow in real-time from one wallet to another.

Today at 6.48am GMT we were notified of a potential exploit of the QiDAO vesting contract that leverages Superfluid code. We are investigating the incident and will keep you updated in this thread and our Discord server.

— Superfluid (@Superfluid_HQ) February 8, 2022

While there was no impact on the user’s funds, the hackers behind the attack managed to get away with $20 million worth of tokens including 24 WETH, 562,000 USDC, 44 SDT, 1.5 million MOCA, 23,000 STACK and nearly 40,000 sdam3CRV. Early information suggested that the stolen funds belonged to some of the early backers of the project and included team vested tokens as well.

Crypto analytic group SlowMist created a fund tracker with the balance of each token stolen. After analyzing the wallet transaction data, they estimated that the hackers managed to steal about $13 million worth of cryptocurrencies.

The hackers behind the attack started dumping stolen QiDAO on Quickswap DEX with high slippage, leading to a 65% decline in the price of the governance token. The Polygon community took the opportunity to buy the dip which has already helped the governance token reach up to $0.6 after falling below $0.18. It is important to note that the exploit was carried out using a vulnerability in Superfluid, and QiDAO wasn’t exploited.

Contract for $QI under superfluid was exploited (only funds from early investors locked are exploited) All vaults are safe. Funds are safuBought the dip/exploit, strong team + strong fundamentals, will buy the whole freaking pool if not for liquidity issue. https://t.co/NDBm3cNzxo

— Jasper (@JunHao_yo) February 8, 2022

QiDAO had temporarily paused its bridge after the exploit and hoped to resolve the issue soon. The exploit comes within 24 hours of Polygons’ $450 million fundraise, however, the community showed immense support in the native stablecoin protocol and stressed that it was because of the third-party vulnerability rather than an issue with stablecoin protocol.

Tags
Defi
Hacks
Hackers
Polygon
Stablecoin
Related Posts
Poly Network hacker returns nearly all funds, refuses $500K white hat bounty
The hacker behind a $610 million attack on the cross-chain decentralized finance (DeFi) protocol Poly Network has returned almost all of the stolen funds amid the project saying their actions constituted “white hat behavior.” According to a Thursday update on the attack from Poly Network, all of the $610 million in funds taken in an exploit that used "a vulnerability between contract calls” have now been transferred to a multisig wallet controlled by the project and the hacker. The only remaining tokens are the roughly $33 million in Tether (USDT), which were frozen immediately following news of the attack. The …
Business / Aug. 12, 2021
Furucombo to issue iouCOMBO tokens to repay victims of $15M exploit
Decentralized finance transaction combination tool Furucombo will compensate the victims of a recent “evil contract” exploit that cost the protocol $15 million in stolen funds. Following an internal call with affected users last week, Furucombo released a compensation plan Tuesday, announcing that they will issue 5 million iouCOMBO tokens to the victims of the breach. Issued in the form of ERC-20 tokens, iouCOMBO tokens will represent the rights to claim Furucombo’s COMBO tokens in the recovery pool. Out of a total of 100 million COMBO tokens, 5 million coins have been allocated to the recovery pool, and are subject to …
Technology / March 9, 2021
Polygon upgrade quietly fixes bug that put $24B of MATIC at risk
Ethereum-based layer two scaling network Polygon has quietly fixed a vulnerability that put almost $24 billion worth of its native token MATIC at risk. According to a Dec. 29 blog post from Polygon, the “critical” vulnerability in the network’s Proof-of-Stake (PoS) Genesis contract was first highlighted by two whitehat hackers on Dec. 3 and Dec. 4 via blockchain security and bug bounty hosting platform Immunefi. All you need to know about the recent Polygon network update. ✅A security partner discovered a vulnerability ✅Fix was immediately introduced ✅Validators upgraded the network ✅No material harm to the protocol/end-users ✅White hats were paid …
Blockchain / Dec. 30, 2021
Inverse Finance exploited again for $1.2M in flash loan oracle attack
Just two months after losing $15.6 million in a price oracle manipulation exploit, Inverse Finance has again been hit with a flash loan exploit that saw the attackers make off with $1.26 million in Tether (USDT) and Wrapped Bitcoin (wBTC). Inverse Finance is an Ethereum-based decentralized finance (DeFi) protocol and a flash loan is a type of crypto loan that is usually borrowed and returned within a single transaction. Oracles report outside pricing information. The latest exploit worked by using a flash loan to manipulate the price oracle for a liquidity provider (LP) token used by the protocol’s money market …
Defi / June 17, 2022
Once-hacked for $77M, Beanstalk's algo stablecoin protocol relaunches
Ethereum-based algorithmic stablecoin project Beanstalk Farms has relaunched its protocol just under four months after going offline after suffering a devastating $77 million governance exploit. The protocol and its governance have been paused since April following the governance exploit and flash loan attack, but were relaunched as of Aug. 6 in an event called the “Replant.” In an announcement shared with Cointelegraph, Beanstalk said it has come out of the ordeal stronger than ever, likely in reference to protocol's governance and security. “Beanstalk has come out on the other end of this ordeal stronger than ever. It is a testament …
Blockchain / Aug. 8, 2022