Steadefi lost $1.14M to a compromised deployer address on Monday.
Phishing or an inside job?
The yield farm on Arbitrum and Avalanche announced the exploit:
NOTICE: Steadefi has been exploited and all funds are currently at risk.
After the deadline, the 10% bounty will be offered to the public as a reward for information leading to a conviction.
Could this a new industry standard for bounty payments?
And will it work?
According to Steadefi’s own announcement, the deployer address of the protocol was compromised.
As the deployer was the owner of all of the platform’s vault contracts, the attacker was able to transfer ownership (for example, the USDC vault on Abritrum in this tx) to their own address. From there, the exploiter:
went on to take various owner-only actions such as allowing any wallet to be able to borrow any available funds from the lending vaults.
The attack drained all funds available for borrowing on both Arbitrum and Avalanche, with the only funds protected being deposits in the ‘Depositor vaults’. Steadefi’s TVL fell from over $2M to just $550k.
At least some of the remaining TVL appears to have been locked in contracts by the exploiter:
However, the exploiter has also paused the farms contract, which means that if you (and the majority of everyone is) has your svTokens or ibTokens deposited in the farms, you will not be able to withdraw them as well. However, the exploiter is also unable to withdraw them.
The funds were swapped to ~625 ETH and bridged to Ethereum before being forwarded onto another address, where they remain.
With many projects having funds returned recently, Steadefi may be hoping for a happy ending.
However, given that this incident was due to an account compromise and not a potential whitehat poking about for bugs in a smart contract, we won’t be holding our breath.
Especially if certain state-sponsored phisherman are involved…
In the case of Curve, one bounty hunter (or on-chain bluffer) has already opted to go straight to the source rather than take the 10%:
Hacker. I have your IP address. I give you until 08/10/23 8:00 AM UTC to return: 7,000,000 CRV and 7,000 WETH to this address: 0xC6a194f5F08352C6aD0B9Dcff1C7A5Ef9f8A7802. After this time I will reveal your IP address. This is your last chance to make the right choice.
Blackmailing a blackhat.
Is there really no honour among thieves?
REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.
donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C
REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.
you might also like...
What a way to start the week. This morning, Mixin Network announced a loss of $200M. The project claims to be “decentralised”, but has blamed the losses on a hacked third-party database. Where's the accountability?
Another exchange drained, is Lazarus going for a September hat-trick? Remitano's hot wallets were hit for $2.7M, yesterday. But quickly frozen USDT ensured profits were vastly reduced. Are we… learning?
rekt across thirteen chains. Is that a new record? CoinEx has become the latest crypto custodian to have its hot wallets emptied, losing an eventual total of $54.3M. How long until the next CEX is hit?