Avalanche-based Zabu Finance loses $3.2M to DeFi exploit
Cryptocurrencies have been commonly associated with wealth – an easy and novel way to make heaps of money in a short time. Well, scammers all over the world have taken advantage of this for a long time now. As the crypto ecosystem expands, the number of such malicious activities have increased as well.
Take for instance, the DeFi ecosystem. Hacks in the decentralized finance system accounted for nearly 76% of all major hacks worldwide, in 2021 so far, according to a report by security firm AtlasVPN.
The latest mishap
Zabu Finance, a DeFi application on the Avalanche blockchain is the latest victim to a hack. Probably the first major hack in the Avalanche ecosystem. The said protocol, in a series of tweets, confirmed the same.
We've been exploited today. What happened?
Everything was from a Pool of $SPORE Token -> https://t.co/D12H7uB5pD
Spore has Transfer Tax so that the attacker used the same mechanism with attacks explained on https://t.co/vXkCKPKBIz and https://t.co/SZiss6IC3R)
— Zabu Finance ? (@zabufinance) September 12, 2021
Meanwhile, industry outlet DeFiPrime, also confirmed the same.
⚠️ @zabufinance $ZABU exploited ⚠️
Probably it is the first big exploit on #avalanche?
About $3.2M stolen:$WETH: 402.9$WAVAX: 23,157$PNG: 21,501$AVE: 106,848$USDT:361,267$JOE:23,958.93
— defiprime (@defiprime) September 12, 2021
Further analysis
The alleged attacker targeted the “Transfer Tax” mechanism of the protocol to mint tokens. The attacker in question, “successfully pulled out 4.5 billion ZABU tokens in Zabu Farm Contract, dumped all to Pangolin LPs and Trader Joe LPs of ZABU, stole around $600k.”
As a part of the remedial steps, ZABU intended to return tokens to investors based on their balances before and after the hack. Firstly, it set the rewards to zero for the users to withdraw funds. In addition to this,
However, there are some people who lost money and bought back in. So we're looking for a solution that protect people (pre-hack) but also support people who aped in post-hack:
1. Snapshot pre-hack and distribute Zabu V2
2. Restart V2 Farm with a Zabu V1 Staking Pool— Zabu Finance ? (@zabufinance) September 12, 2021
The tweet also stated that with the aforementioned steps,
“…people who lost money pre-hack will get distributed tokens, and continue to support the protocol if they want. For the late buyer (post-hack), they can also participate in the Farm V2, by staking what they’ve bought in a Zabu V1 Staking Pool.”
Having said that,
“The process of Snapshot might take time as we need to calculate balances of Zabu Holders, Farm Stakers (for Zabu-related Pools), and AutoFarm Stakers (for Zabu-related Pools)….”
Even though this was stated to be the first attack on the network in question, PeckShield, a security firm opined, “…the same bug happened many times before.”
After-effects
Needless to say, the aforementioned hack caused ZABU’s prices to drop almost to zero. The removal of so many ZABU tokens caused prices to collapse.
Notably, at press time, the token managed to recover a bit, witnessing a 25% surge in 24 hours as it traded at the $0.00005 mark.