Polygon’s stablecoin protocol QiDAO suffers $13 million exploit on third party contract

The latest cryptocurrency hack has targetted Polygon‘s native stablecoin protocol Qi DAO, as its Suplerfluid vesting contract faced an exploit earlier today. The hackers got away with a reported $13 million in various tokens, leading to its governance token Qi’s price falling a sharp 68% in no time.

QiDAO announced the hack on Twitter earlier while ensuring users that their funds were safe as the protocol itself had not been affected.

Superfluid's vesting contract for QI has been exploited.

User funds on QiDao contracts remain safe. The exploit is solely on Superfluid.

We will release an update when we know more.

— Qi Dao (@QiDaoProtocol) February 8, 2022

This was followed by an acknowledgment by Superfluid as well, which noted on Twitter that the vesting contract for QiDAO had been compromised. It also warned users from using Superfluid smart contracts for the time being. The protocol acts as an on-chain bridge for users to transfer funds between wallets in real-time.

We are investigating a potential protocol layer exploit. As precaution, please do unwrap all your SuperTokens. The attackers might be targeting wallets/contracts with large amounts.

More info on how to unwrap tokens from our Dashboard can be found here: https://t.co/yJR3tiEGwo

— Superfluid (@Superfluid_HQ) February 8, 2022

Blockchain analytics firm SlowMist tracked the hacker’s address and found that it had made a profit of more than $13 million, including QI, WETH, USDC, SDT, MOCA, STACK, sdam3CRV and MATIC. The attacker’s address had a balance of 11,016.60 MATIC, 507,930.87 MOCA, 2,707.91 ETH, and 43,910.39 DAI per SlowMist’s latest update.

Source: SlowMist/Twitter

While user funds and vaults have remained safe, it appears that those lost belong to early-stage investors along with team vested tokens. For now, Qi bridging is temporarily paused by the protocol as it is investigating the bug.

Nevertheless, the price of QiDAO’s governance token dipped 68.5% after the hackers started dumping the stolen QI Quickswap DEX with high slippage. The price dropped from $1.24 to $0.18 at the time. Albeit, a recovery in price could already be noted, as enthusiastic investors bought the dip. The token was still down 33.8% in the past 24 hours and was trading at $0.69 at press time.

#Slippage $QI #QiDAO price dropped -68.05% #Polygon https://t.co/CozWr2kwOZ pic.twitter.com/3Fef1PTG4A

— PeckShieldAlert (@PeckShieldAlert) February 8, 2022

The hack has come at the heels of Polygon completing a successful investment round yesterday worth $450 million. The round was led by Sequoia Capital India and marks the top Venture Capital firm’s first foray into the industry.