Atlantis Loans - REKT

UPDATE: Almost a week after the initial exploit, further funds have been drained, bringing the total lost to $2.5M (as noted by Peckshield).

The lost city sunk long ago.

Now, former users have been drained, for a total of ~$1M.

Atlantis Loans was a lending protocol on BSC, before being abandoned by the developers in early April.

Users were informed via a Medium post in which the dev team said they couldn’t afford to continue maintaining the platform. They added:

we believe that discontinuing our services is in the best interest of our users and the protection of their funds.

However, the protocol remained live, with the UI even paid up in advance for two years. As stated in the post:

the only way to make changes or turn things off will have to be done through the governance.

Foreshadowing?

Credit: Beosin, Numen Cyber

The attack had been attempted on the 12th of April, but it failed to pass. With the project abandoned, little attention was paid to the recent proposal 52 published on the 7th June.

The attacker pushed and voted through a governance proposal granting them control of Atlantis Loans’ token contracts. They then upgraded with their own malicious contracts, allowing them to transfer tokens from any address which still had active approvals to Atlantis contracts.

For a full breakdown of how the proposal was executed, see Numen Cyber’s thread.

Full list of contracts to revoke approvals.

Attacker’s address: 0xEADe071FF23bceF312deC938eCE29f7da62CF45b

The attacker was initially funded by Binance on ETH.

Governance attacks can be varied in their scope and effects.

Last month, we saw Tornado Cash’s governance system hijacked by an attacker who snuck code into what was supposed to be a safe proposal.

Last year, Beanstalk got rekt for $181M from a flash loan-enabled governance attack made possible by a lack of execution delay on the proposal.

And in March, Swerve, an also-abandoned Curve-clone, was (unsucessfully) targeted via governance. The proposal would have transferred $1.3M remaining in the DAI-USDC-USDT liquidity pool to the attacker’s address, but they were unable to gather enough tokens to force the vote through.

This week’s case serves not just as a reminder to revoke old token approvals, but highlights the importance of carefully monitoring governance processes, even on defunct projects.

For Atlantis, it looks like it’s back to the murky depths…

…for good this time.

REKT는 익명 작성자들에 의한 공공 플랫폼이며, REKT에 작성된 관점이나 내용에 대해서 그 어떤 책임도 지지 않습니다.

기부 (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C

disclaimer:

REKT는 당사 웹 사이트의 익명의 작성자 또는 REKT에 의해 게시되거나 관련된 서비스에서 게시되는 콘텐츠에 대해 어떠한 책임도 지지 않습니다. 당사는 익명 작성자들의 행동 및 게시물에 대한 규칙을 제공하지만, 익명의 작성자가 웹 사이트 또는 서비스에 게시, 전송 혹은 공유한 내용을 통제하거나 책임지지 않으며, 귀하가 웹 사이트 또는 서비스에서 직면할 수 있는 불쾌함, 부적절함, 음란함, 불법 또는 기타 해로운 콘텐츠에 대해서도 책임을 지지 않습니다. REKT는 당사 웹 사이트 또는 서비스 사용자의 온라인 또는 오프라인 행위에 대한 책임을 지지 않습니다.