Published
1 year ago on
September 08, 2022
Table of Contents
A flash loan exploit targeted Nereus Finance, an Avalanche-based lending protocol, resulting in losses amounting to over $300K.
Avalanche Flash Loan Exploit
USD Coin (USDC) worth $371,000 was siphoned off from Nereus Finance through a smart contract exploit, which blockchain cybersecurity firm Certik caught on Tuesday. Soon after, Nereus went into damage repair mode and published an in-depth post-mortem of the attack on Wednesday. Apparently, the attackers leveraged a $51 million flash loan from Aave to manipulate the AVAX/USDC Trader Joe LP pool price for a single block. As a result, they were able to generate a debt of NXUSD (the native token of Nereus) for $998,000 against the $508,000 in security. After the flash loan was repaid, the perpetrators swapped out the cash for different assets using a number of liquidity pools and whisked these assets into their private wallets. The exploit happened due to the Avalanche flash loan, which is interesting in light of the recent allegations of market manipulation against its parent company, Ava Labs.
Team Does Post-Mortem
The Nereus team also acted swiftly by notifying law enforcement, bringing in security professionals, and putting together a mitigation strategy. They also liquidated and suspended the abused JLP market. Furthermore, the team used funds from its own treasury to pay off the bad debt in order to eliminate all risk potential toward user funds. The post-mortem revealed that there was a “missed step” in the price computation of the new collateral types that support the AVAX/USDC Trader Joe LP tokens.
The Way Forward
The team also claimed that the error would not happen again going forward, saying,
“The team will be amending our audit and security practices in order to ensure these types of events do not occur in the future. While this exploit is a bad incident — it’s not uncommon for protocols to face these types of battle tests. As we are about to aggressively expand — we will continue to invest in our capabilities and risk mitigation strategies.”
Talking about the future of the project, the team also revealed that the Curve pool is back in balance. They are focusing on recovery attempts by tracking down the hacker and even offering a 20% White Hat reward for the return of the funds, without any questions asked. They are also developing different approaches to track the funds that were stolen in order to recover them.
Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
Investment Disclaimer
