Popular DeFi protocol Stake Steak is in the news today after it suffered an exploit that allowed hackers to mint an exponential amount of the platform’s STEAK token. Soon after, its price plummeted by over 99%.
The Fantom protocol, which aims to keep the fUSD and USDC stablecoins pegged, suffered the exploit after exploiters were able to scrape off a private key from one of their repositories on Github. The same had been there for over 5 months, the protocol’s developers revealed in a postmortem released earlier today.
It further read,
“The exploiters were able to gain access to the STEAK deployer account due to the private keys being visible on the initial commit 5/19 of the steak public contracts on github.”
Two different accounts were used for the exploits. The first exploiter burned around 140,823 STEAK tokens from the liquidity provider as STEAK’s 5 million supply was pre-minted. Following this, the hackers were able to mint the same amount of tokens from the compromised deployer account to their account.
They then devalued liquidity provider tokens for the STEAK-FTM liquidity pool and drained funds from several developer wallets. They were able to get away with 80,636 FTM, worth $115,309 at press time.
The second exploiter then minted a further 30,000 STEAK tokens, while taking out 18,386 fUSD-USDC LP, 9,719 USDC, and 387 FTM from STEAK reserves. In total, the second exploiter took 81,351 USDC in value.
The minted stake tokens were dumped in the market, leading to the same crashing by almost 93% in a matter of minutes. At the time of writing, the altcoin had lost 99% of its valuation. It was trading at $0.045, down from $4.84 before the exploit.
The coin’s trading volume was also up by 1062.41%. This, despite Stake Steak developers taking to Twitter to warn users not to try and “buy the dip” by purchasing STEAK tokens.
Don't buy Steak tokens guys. If the PKs are out in the wild then this token can't be resurrected unless a new one is deployed.
FYI. Buying the dip in this particular case isn't the move. https://t.co/cmUBj14b40
— Fantom Community Alerts 🚨 (@FTMAlerts) October 4, 2021
While being apologetic, the developers also found an introspective moment within the exploit. They decided to rebrand the protocol as part of the recovery plan as they want to “move away from “staking STEAK” to more “practical and useful products.”
The developers want to give the protocol a more professional look and name and have asked the community to vote for possibilities.
As for the compensation, the protocol has decided to airdrop the newly issued tokens to STEAK holders and LPs before the exploit.
Just last week, another DeFi protocol Compound Finance suffered an exploit due to a bug in the distribution mechanism update. This led to over $80 million in funds being compromised. While the aforementioned exploit is much smaller in scale, it points towards a worrying trend of protocol vulnerabilities.