Avalanche based lending protocol Nereus Financeb has been the victim of a clever hack in which a user made off with $371,000 worth of USD Coin (USDC) via a smart contract.
The cyber security company Blockchain CertiK was one of the first to detect the exploit on Tuesday, stating that the attack affected liquidity pools on Nereus related to decentralized exchange (DEX) Trader Joe and automated market maker Curve Finance..
CertiK also suggested that the underlying protocols themselves were affected. However, Curve Finance responded via Twitter on Wednesday, stating that “perhaps you meant ‘affected assets’, not ‘affected protocols’. Only @nereusfinance and their assets seem shocked.”
On Wednesday, Nereus Finance published a detailed post-mortem of the incident explaining that an “exploiter” was able to deploy a custom smart contract that used a $51 million flash loan from Aave to artificially manipulate the Avalanche (AVAX)/USDC Trader pool price. Joe LP (JLP) for a single block.
We’ve published a post-mortem on the NXUSD incident from yesterday. https://t.co/ADhu6PagP2
thanks @peckshield @CertiK— Nereus Finance (@nereusfinance) September 7, 2022
We have posted a post-mortem on yesterday’s NXUSD incident. https://t.co/ADhu6PagP2
Thanks @peckshield @CertiK
As a result, the anonymous hacker was able to mint $998,000 of native Nereus NXUSD token against $508,000 of collateral. He then traded this capital into different assets through various liquidity pools and managed to come out with a net profit of $371,406 once the flash loan was repaid..
The incident ended with the creation of $500,000 of “bad debt” on the NXUSD protocol..
Nereus’ team says they were quick to remedy the situation. After consulting security experts, developing a mitigation plan, and notifying law enforcement, they liquidated and paused the JLP market.
As reported, the bad debt was paid with NXUSD from the team treasury.
According to Nereus, the exploit was the result of a “missing step” in the price calculation, which gave rise to the opportunity to be exploited. However, he stressed that “no user funds are at risk, and NXUSD remains over-collateralized.”and the “lending and borrowing protocol was not affected by this exploit”.
Nereus is also confident that the same exploit will not be possible a second time, as the team will modify its “auditing and security practices in order to ensure that these types of events do not occur in the future,” noting:
“Although this exploit is a bad incident, it’s not uncommon for protocols to face this kind of battle test.”
At the time of writing this article, the Nereus team is trying to identify the hacker and trace the funds and has offered a 20% white hat reward for the return of the funds, no questions asked.
Despite this recent flash loan exploit and other notable incidents throughout the year, CertiK’s Monthly Skynet Alerts Report for August 2022, published on September 2, states that there has been a notable decrease in these types of attacks.
Compared to the previous month, in August there was a 95% drop in flash loan attacks, which only resulted in a total loss of USD 745,244the second lowest this year.
February continues to be the month with the fewest losses recorded for attacks on flash loans, with only USD 200,000.
Clarification: The information and/or opinions expressed in this article do not necessarily represent the views or editorial line of Cointelegraph. The information set forth herein should not be taken as financial advice or investment recommendation. All investment and commercial movement involve risks and it is the responsibility of each person to do their due research before making an investment decision.
Keep reading:
Investments in crypto assets are not regulated. They may not be suitable for retail investors and the full amount invested may be lost. The services or products offered are not aimed at or accessible to investors in Spain.