Avalanche flash loan exploit sees $371K in USDC stolen

Published at: Sept. 8, 2022

Avalanche-based lending protocol Nereus Finance has been the victim of a crafty hack that saw a user net $371,000 worth of USD Coin (USDC) using a smart contract exploit.

Blockchain cybersecurity firm CertiK was one of the first to detect the exploit on Sept. 6, indicating that the attack impacted liquidity pools on Nereus relating to decentralized exchange Trader Joe and automated market maker Curve Finance.

CertiK also suggested that underlying protocols themselves were impacted, however, Curve Finance responded via Twitter on Sept. 7, stating “maybe you meant ‘assets impacted,’ not ‘protocols impacted’. Only @nereusfinance and its assets seem impacted.”

On Sept. 7, Nereus Finance released a detailed post-mortem of the incident explaining an “exploiter” was able to deploy a custom smart contract that utilized a $51 million flash loan from Aave to artificially manipulate the AVAX/USDC Trader Joe LP (JLP) pool price for a single block.

We've published a post-mortem on the NXUSD incident from yesterday. https://t.co/ADhu6PagP2 Thanks @peckshield @CertiK

— Nereus Finance (@nereusfinance) September 7, 2022

As a result, the anonymous hacker was able to mint 998,000 worth of Nereus' native token NXUSD against $508,000 worth of collateral. They then swapped this capital into different assets via various liquidity pools and managed to walk away with a net profit of $371,406 once the flash loan was returned. 

The incident ended with to the creation of $500,000 of NXUSD “bad debt” in the NXUSD protocol.

The Nereus team says it was quick to remedy the situation; after consulting security experts, developing a mitigation plan, and notifying law enforcement, they liquidated and paused the exploited JLP market.

The bad debt was reportedly paid off using NXUSD from the team’s treasury.

According to Nereus, the exploit resulted from a “missed step” in the price calculation, resulting in the opportunity to be exploited. However, it stressed that “no users funds are at risk, and NXUSD continues to be over collateralized” and the “Lending and Borrowing protocol was not affected by this exploit.”

Nereus is also confident the same exploit won’t be possible a second time, as the team will be  amending its "audit and security practices in order to ensure these types of events do not occur in the future," noting:

“While this exploit is a bad incident — it’s not uncommon for protocols to face these types of battle tests.”

As of this writing, the Nereus team is trying to identify the hacker and track the funds and has offered a 20% White Hat reward for the return of the funds, no questions asked.

Related: Solana-based stablecoin NIRV drops 85% following $3.5M exploit

Despite this recent flash loan exploit and several other notable incidents throughout the year, CertiK's August 2022 Monthly Skynet Alerts Report, released on Sept. 2, claims there has been a notable decrease in these types of attacks.

Compared to the previous month, August saw a drop of 95% in flash loan attacks, only resulting in a total loss of $745,244, the second lowest this year.

February still has the lowest recorded loss from flash loan exploits with only $200,000.

Tags
Related Posts
Unitize Conference Covers Ground, Mulls Blockchain Adoption and DeFi
Retail and enterprise blockchain adoption trends dominated the discussions on days three and four of the ongoing virtual conference Unitize, organized by BlockShow and San Francisco Blockchain Week and sponsored by crypto derivatives exchange ByBit. The key topic that dominated discussion was blockchain adoption, which continues to spread across the globe, with governments and corporate establishments developing solutions based on distributed ledger technology. Exploring the blockchain development landscape Speaking during one of Wednesday’s panels at the conference. Yi Ming Ng, a member of the Tribe Accelerator project in Singapore, and Marloes Pomp, a blockchain consultant with the Dutch government, shed …
Technology / July 10, 2020
How HashEx is developing new auditing methods to outsmart hackers, as told by founder Dmitry Mishunin
As the cryptocurrency market has grown, so too have the number of bad actors looking to exploit vulnerable decentralized finance, or DeFi, protocols, and projects for their own gain. Earlier this month, the Ethereum-Solana Wormhole token bridge suffered the biggest hack of 2022, with $321 million lost due to a signature verification vulnerability. Such exploits have gotten increasingly sophisticated over the years. But blockchain security firms like HashEx are keeping up the pace just as hackers upgrade their tactics. During the past few years, HashEx has audited more than 700 DeFi smart contracts that secure over $2 billion worth of …
Technology / Feb. 10, 2022
Binance recovers $5.8M in funds connected to Ronin bridge exploit
Via a Twitter post on Friday, Changpeng Zhao, CEO of Binance, said that the cryptocurrency exchange recovered $5.8 million spread over 86 accounts in digital assets moved to the exchange by Lazarus Group. Last month, the North Korean cyber-criminal group allegedly stole 173,600 Ether (ETH) and 25.5 million USD Coin (USDC), worth over $600 million at the time, belonging to Axie Infinity's Ronin bridge. As of Friday, the wallet address associated with the Ronin has around $280 million in digital assets remaining. Blockchain forensics company Elliptic recently uncovered that the hackers have been sending the money to centralized exchanges and …
Technology / April 22, 2022
Fake Solana wallet security update is trying to steal your crypto: Reports
For the last two weeks, unknown hackers have been airdropping nonfungible tokens (NFTs) to Solana cryptocurrency users masquerading as a new Phantom wallet security update, however, instead of an update, it's malware designed to steal their crypto. According to BleepingComputer, the hackers are claiming to be from the Phantom team and using NFTS titled "PHANTOMUPDATE.COM" or "UPDATEPHANTOM.COM." After opening the NFT, users are told a new security update has been issued for the Phantom wallet and can be downloaded by using the enclosed link or the listed website. To add urgency, the message claims that failing to download the fake …
Technology / Oct. 11, 2022
KuCoin Labs Launches $100 Million Venture Capital Fund To Empower Early-Stage Metaverse Projects
KuCoin Labs, the company behind the world's sixth-largest cryptocurrency exchange by trading volume with more than 500 crypto assets listed, announced on Wednesday that it would be launching a $100 million metaverse fund for early-stage projects. The money is also available for entities that develop blockchain-based games, nonfungible tokens, and decentralized applications. In addition, Kucoin will also provide business incubation services, branding, incentives, and business partnerships for developers selected into the fund. Johnny Lyu, CEO of Kucoin, said the following in a prepared statement obtained by Cointelegraph: "KuCoin Metaverse Fund will be launched to accelerate the evolution of the Internet …
Adoption / Nov. 17, 2021