Midas Capital - REKT 2
Midas can’t keep hold of their gold.
On Saturday, one of the lending protocol’s pools was exploited for $600k on BSC.
Midas Capital have found themselves on the rekt.news leaderboard for the 2nd time this year. Acknowledging the incident, the team stated they had “pre-emptively paused all pools”.
Last time we wrote:
It’s always a shame to report on losses in DeFi, but especially when they are down to already known issues, with simple workarounds.
Sadly, this exploit was also down to a known issue, having affected Hundred Finance in April. In what was also a 2nd entry, Hundred lost $7.4M on Optimism.
On Hundred’s first outing we wrote:
Forks upon forks create a house of cards…
When one fork falls, all others have to check their foundations.
When will they learn?
Credit: Peckshield, Ancilia, BlockSec
The exploit was made possible due to a rounding vulnerability in the redeem counter, affecting interest rate calculation (as in April’s Hundred Finance incident).
On Wednesday, RSK-based Tropykus was hit by the same attack, leading to $150k in losses. As pointed out by Alexand39172242, the attacker, who was contacted by the Tropykus team, also funded the Midas attacker’s address.
Attacker’s address: 0x4b92cc3452ef1e37528470495b86d3f976470734
The attacker has deposited a portion of the stolen funds into Tornado Cash and bridged some to Ethereum.
DeFi is an interconnected web of composable protocols and forked code; the possibilities for innovation are limitless, and the opportunities for integration, endless.
But weaknesses, once discovered, instantly propagate through the ecosystem…
…sometimes finding their way into projects whose own devs are seemingly unaware, or don’t think to check.
Keeping on top of these incidents is crucial for anyone working on securing funds in such a complex and interdependent industry.
Our archive is just one click away…
REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.
donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C
disclaimer:
REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.
you might also like...
Midas Capital - REKT
The Midas touch has backfired, leaving a $660K hole in one of its jFIAT pools. The read-only reentrancy vulnerability is a known weakness of a recently introduced collateral type. Let’s hope this rushed decision doesn’t prove to be Midas’ undoing this time…
Lucky Star Currency, FSL - REKT
While SBF's trial occupies the attention of the crypto hivemind, it's business as usual on BSC. $2.79M has been rugged already this week across two shitcoin projects. Who’s still apeing into this stuff?
DeFiLabs - REKT
Yesterday, DeFiLabs rugged $1.6M from its users on BSC via a backdoor function in their staking contract. Random projects rugging on BSC is nothing new. The shitcoin casino claims another set of victims.