The raid of Tomb Finance makes for Fantom’s first fatality.
Was it an exploit, or on-chain tax evasion?
The “attacker” set up a website so that others could join in.
Tomb Finance had created an algorithmic stablecoin on the Fantom chain.
Their website states that;
TOMB is a taxed token, which means you will pay a service fee when selling TOMB.
A “taxed token” doesn’t sound very appealing, especially to the crypto crowd.
Perhaps that’s why an anonymous actor made a website allowing users to evade this tax.
The Tomb team say it wasn't a hack, but we’ll let the rekt readers be the judge of that.
The root of the problem was a method of circumventing the protocol’s Gatekeeper fee system, which aims to keep the price of $TOMB pegged to $FTM.
The Gatekeeper collects a service fee on all $TOMB sales, which increases drastically (up to 20%) as the token reaches peg with $FTM.
The $TOMB collected from fees is then used by the DAO, either by selling half for $FTM and providing the other half as liquidity (above the peg) or burning the $TOMB (below peg).
Given these exorbitant fees, an enterprising user found a way to avoid the tax, and even set up a UI for avoiding the Gatekeeper at notomb.tax, stating:
There will be a fee to do so but it is much smaller than the actual gatekeeper tax.
Example transaction: 0x0a967da...
Tax-dodger contract: 0xC1C6caCb78466a555b11dA0Df6D0BB07a1Afb708
Faced with such a public tax-evasion strategy for their protocol, the Tomb team decided to deactivate the Gatekeeper, depriving themselves of the funds needed to stabilise the price.
As word got out and the peg was lost, the protocol found itself buried alive with a plummeting token price and a social media FUD frenzy.
For a protocol that asked this question in their FAQ:
Ok, so what the hell is the point of having a token that’s pegged to the price of $FTM when you could just use $FTM itself instead?
Charging your users 20% to use the token when it’s functioning as intended seems to go against their stated aim of creating:
a mirrored, liquid asset that can be moved around and traded without restrictions”
Was the Tomb team digging their own grave?
One of our readers was in the Tomb Discord call when they were discussing the incident.
They reported the following to our Telegram group;
It sounds like they [Tomb Finance] knew about it for weeks and then the website went up so the devs pulled the plug on the gatekeeper tax — that's how I interpreted the voice discussion they had on Discord. But since "nobody was losing money" it wasn't a rug or exploit and no big deal…
Also something mentioned in the voice chat was that Tomb has been using the DAO funds to prop up TOMB . The number spoken was "100s of 1000s" of DAO funds have been spent prior to keep TOMB on peg.
Which sounds like the gatekeeper / exit tax wasn't even sufficient and yet again any algostable proves fruitless...
To end today’s article, let’s play a game of “guess the algorithmic stablecoin”:
REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.
donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C
REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.
you might also like...
Deus DAO double damage. In an unfortunate sequel to last month’s incident, the protocol has now lost a further $13.4M. How did the attacker bypass the new oracle?
Deus rekt machina. An unexpected plot twist saw Deus DAO users liquidated, with the attacker making ~$3M profit. Flash loan attacks are not as common they once were. Is DeFi growing stronger?
18 quadrillion dollars. That’s the theoretical value of the 60 trillion aBNBc that was illegitimately minted from Ankr. Unfortunately, that’s more than the GDP of the entire world, and the aBNBc liquidity couldn’t stretch that far, so the hacker only got away with $5M.