June 25, 2024

Avalanche protocol loses $371,000 in flash mortgage exploit

Nereus Finance, an Avalanche-based lending protocol, fell sufferer to a sensible contract mortgage exploit, dropping $371,000 in USD Coin (USDC), CoinTelegraph wrote.

Blockchain cybersecurity firm CertiK first revealed the assault two days in the past, indicating that it had affected Nereus-based liquidity swimming pools, associated to Dealer Joe, a decentralized alternate, and AMM Curve Finance.

Solely belongings impacted, not protocols

The cybersecurity agency additionally steered that the exploit affected the underlying protocols. Curve Finance tweeted on September 7 that it was solely the belongings that had been impacted, not the protocols, and “solely Nereus Finance and its belongings appear impacted.”

Hacker used $51m flash mortgage from Aave

Nereus Finance revealed {that a} hacker deployed a customized sensible contract, which used a $51 million flash mortgage from Aave to govern the pool value artificially. The precise value was associated to the AVAX/USDC liquidity pool of the DEX Dealer Joe.

The hacker minted just below one million NXUSD, Nereus’ native token, in alternate for collateral price $508,000.

They then used totally different liquidity swimming pools to alternate the funds into varied belongings, netting a revenue of $371,406 after returning the flash mortgage.

The last word outcome was dangerous debt within the quantity of $500,000 within the NXUSD protocol.

Nereus with speedy mitigation plan

Nereus took speedy measures. The group paused and liquidated the exploited market after informing legislation enforcement, speaking to safety specialists, and making a mitigation plan. Reportedly, the treasury was used to repay the dangerous debt in NXUSD.

“Missed step”

Nereus reported that the exploit was because of a “missed step” within the calculation of the worth. The group emphasised that no consumer funds had been in danger, and NXUSD was nonetheless overcollateralized. The exploit affected neither the lending nor the borrowing protocol.

See also  Hackers stole $625 million within the Ronin bridge exploit, which affected Sky Mavis’ validator nodes

The platform is definite it will by no means occur once more as a result of the group will change its safety and audit practices to stop such exploits transferring ahead. The group acknowledged, “Whereas this exploit is a nasty incident — it’s not unusual for protocols to face a majority of these battle checks.”

Nereus affords 20% for return of funds

Nereus is engaged on tracing the stolen funds and figuring out the hacker. They’re providing a 20% reward to any White Hat hacker who’s capable of retrieve the cash.

Whereas such exploits proceed, they’re slowing down. In August, there have been 95% fewer flash mortgage assaults than in July. A complete of $745,244 was misplaced that month, the second lowest in 2022. The worst month for attackers was February.