DeFi
Illuvium takes measures to protect staked funds post discovery of vulnerability
Over the past year, Decentralised Finance (DeFi) has experienced exponential growth with more than 4.3 million users at the time of writing. Needless to say, it doesn’t show any signs of slowing down, given the current demand. That said, hacks, scams, and similar illicit activities played a role as well. As unfortunate as it sounds, some security risks are involved.
Drastic step(s)
Multi-billion dollar blockchain gaming giant Illuvium is currently the topic of discussion after it fell prey to illicit activity. Although, no funds have been compromised so far.
Illuvium is an open-world fantasy battle sport that’s constructed on the Ethereum network and has the aim of turning into the primary AAA-rated blockchain-based sport that includes elements of decentralized finance (DeFi) and nonfungible tokens (NFT).
Here’s the interesting part. Post-detection of a vulnerability in staking contracts, Illuvium drained entire funds from a Uniswap pool. Thereby, preventing an attacker from cashing out. The team tweeted:
We have found a vulnerability in our staking contracts, and as such, the eDAO has put a temporary pause on $sILV minting. The attack vector has been closed, and no funds have been compromised. This is purely a protection mechanism for the DAO. (1/2)
— Illuvium (@illuviumio) January 4, 2022
The said precaution doesn’t really come as a surprise. Especially given the increase in the number of hacks, exploits and attacks in the DeFi world. But the obstacle was fixed. At least that’s what the team stated. It update stated,
“The vulnerability has been fixed within the staking V2 contracts and we expect to have them launched shortly. $ILV holders will have time before the Land Sale to claim their $sILV. We’re very sorry for the inconvenience. Ensuring the DAO is protected is our main priority.”
Here’s the significance of the aforementioned action. The sILV/ETH Uniswap V3 pool was drained of all funds in a series of large transactions. It even shorted the trading price of sILV to $0, although temporarily.
Further analysis
On further analysis, the team along with the co-founder of the network Aaron Warwick made a couple of observations.
Firstly, users were advised to not buy into any liquidity. Also, attackers were able to steal some of the funds. But it’s currently unclear how much sILV the attacker was able to cash out as ETH before the team managed to drain the pool entirely.
Furthermore, the team added a few insights to alert users of next steps.
…they do not lose any funds from this attack. We are investigating the issue and will continue to provide updates as soon as possible. As a reminder, we cannot stop people from buying into the pool right now but please DO NOT buy in the unofficial sILV pool. ⚠️ (3/3)
— Illuvium (@illuviumio) January 4, 2022
As part of the latest warning, the team shed light on an important aspect. Something to think about before acting upon it.
There are scammers pretending to be Illuvium's Official Support twitter account pretending to offer help. Our Twitter account is verified (check for blue tick). Never give out your passwords or seed phrases or click suspicious links. We've reported the account to Twitter.
— Illuvium (@illuviumio) January 4, 2022
Overall, a detailed post-mortem would provide the necessary information for the aforementioned hack. For now, ILV, Illuvium’s governance token did take a major hit. It was trading at the $990 mark with a 4% correction in 24 hours.