Midas Capital - REKT 2

Midas can’t keep hold of their gold.

On Saturday, one of the lending protocol’s pools was exploited for $600k on BSC.

Midas Capital have found themselves on the rekt.news leaderboard for the 2nd time this year. Acknowledging the incident, the team stated they had “pre-emptively paused all pools”.

Last time we wrote:

It’s always a shame to report on losses in DeFi, but especially when they are down to already known issues, with simple workarounds.

Sadly, this exploit was also down to a known issue, having affected Hundred Finance in April. In what was also a 2nd entry, Hundred lost $7.4M on Optimism.

On Hundred’s first outing we wrote:

Forks upon forks create a house of cards…

When one fork falls, all others have to check their foundations.

When will they learn?

Credit: Peckshield, Ancilia, BlockSec

The exploit was made possible due to a rounding vulnerability in the redeem counter, affecting interest rate calculation (as in April’s Hundred Finance incident).

On Wednesday, RSK-based Tropykus was hit by the same attack, leading to $150k in losses. As pointed out by Alexand39172242, the attacker, who was contacted by the Tropykus team, also funded the Midas attacker’s address.

Attacker’s address: 0x4b92cc3452ef1e37528470495b86d3f976470734

The attacker has deposited a portion of the stolen funds into Tornado Cash and bridged some to Ethereum.

DeFi is an interconnected web of composable protocols and forked code; the possibilities for innovation are limitless, and the opportunities for integration, endless.

But weaknesses, once discovered, instantly propagate through the ecosystem…

…sometimes finding their way into projects whose own devs are seemingly unaware, or don’t think to check.

Keeping on top of these incidents is crucial for anyone working on securing funds in such a complex and interdependent industry.

Our archive is just one click away…

share this article

REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.

donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C


REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.