The latest cryptocurrency hack has targetted Polygon‘s native stablecoin protocol Qi DAO, as its Suplerfluid vesting contract faced an exploit earlier today. The hackers got away with a reported $13 million in various tokens, leading to its governance token Qi’s price falling a sharp 68% in no time.
QiDAO announced the hack on Twitter earlier while ensuring users that their funds were safe as the protocol itself had not been affected.
Superfluid’s vesting contract for QI has been exploited.
User funds on QiDao contracts remain safe. The exploit is solely on Superfluid.
We will release an update when we know more.
— Qi Dao (@QiDaoProtocol) February 8, 2022
This was followed by an acknowledgment by Superfluid as well, which noted on Twitter that the vesting contract for QiDAO had been compromised.
Gupta wrote, under ideal circumstances, any associated burn fees would be paid by the user upon withdrawing their tokens from a reward pool. But due to a bug, every withdrawal burned PLX in SafeDollar’s pool, which allowed the attacker to deplete the pool’s PLX supply by repeatedly depositing and withdrawing tokens in a loop.
Then once the pool’s PLX balance was low enough, the attacker could take advantage of the artificially increased SDO reward rates due to the reward being calculated based on the pool’s total holdings.
Gupta called this an “infinite mint exploit.”
Through this method, the attacker claimed $250K in SDO rewards, which they immediately dumped for USDC and USDT through SafeCoin’s USDC/USDT liquidity pools. And everyone else who held SafeDollar was left holding a bag with a broken stablecoin.
Stablecoin to following exploit on polygon
SafeDollar said it will announce compensation and a future plan in another article, but there’s a good chance the SDO token will never recover. Oftentimes, it only takes one exploit for a stablecoin to topple completely.
With so many other protocol options on the market, users typically take their capital elsewhere as soon as trust erodes. After all, if a stablecoin can be exploited, then it loses its entire purpose.
This is the second Polygon-based stablecoin to topple following an exploit in the past couple weeks.
On June 16, Iron Finance flopped after a massive bank run, whereby users exploited the protocol’s two-token system (the IRON stablecoin pegged to $1 and the TITAN collateral token).
It also warned users from using Superfluid smart contracts for the time being. The protocol acts as an on-chain bridge for users to transfer funds between wallets in real-time.
We are investigating a potential protocol layer exploit.
As precaution, please do unwrap all your SuperTokens. The attackers might be targeting wallets/contracts with large amounts.
More info on how to unwrap tokens from our Dashboard can be found here: https://t.co/yJR3tiEGwo
— Superfluid (@Superfluid_HQ) February 8, 2022
Blockchain analytics firm SlowMist tracked the hacker’s address and found that it had made a profit of more than $13 million, including QI, WETH, USDC, SDT, MOCA, STACK, sdam3CRV and MATIC.
The value of SafeDollar (SDO), an algorithmic stablecoin intended to be pegged to $1, has dropped to zero after a $248K exploit on Polygon.
In a post-mortem analysis published on June 28, SafeDollar reported it had lost $202K of USDC and $46K of USDT as a result of an attack on one of its pools for the deflationary PlexCoin (PLX) token, which burns 0.15% every time a user deposits into the pool. By providing liquidity to the pool, users could farm SDO rewards which, like other stablecoins, were intended to be safer and less volatile than the majority of crypto tokens.
Infinite Mint Exploit
The exploit happened in the PLX version 1 pool. SushiSwap core developer and security researcher Mudit Gupta took to Twitter to explain what happened.
The attacker’s address had a balance of 11,016.60 MATIC, 507,930.87 MOCA, 2,707.91 ETH, and 43,910.39 DAI per SlowMist’s latest update.
Source: SlowMist/Twitter
While user funds and vaults have remained safe, it appears that those lost belong to early-stage investors along with team vested tokens. For now, Qi bridging is temporarily paused by the protocol as it is investigating the bug.
Nevertheless, the price of QiDAO’s governance token dipped 68.5% after the hackers started dumping the stolen QI Quickswap DEX with high slippage.
The price dropped from $1.24 to $0.18 at the time. Albeit, a recovery in price could already be noted, as enthusiastic investors bought the dip.
SafeDollar, an algorithmic stablecoin on Polygon aiming to “become the most safe stable coin for Defi, (decentralized finance)” according to its website, saw its value crash to $0 following a cyberattack yesterday.
See: Crypto Financial Lingo to Sound Like an Investing ExpertFind: 4 Best Places To Buy and Sell Cryptocurrency
“SafeDollar was recently the subject of an exploit that resulted in a loss of 202,230 USDC and 46k USDT,” it said in a post-mortem analysis.
Stablecoins are cryptocurrencies whose aim is to remain stable and have low volatility.
SafeDollar, an algorithmic stablecoin on Polygon aiming to “become the most safe stable coin for Defi, (decentralized finance)” according to its website, saw its value crash to $0 following a cyberattack yesterday.
See: Crypto Financial Lingo to Sound Like an Investing ExpertFind: 4 Best Places To Buy and Sell Cryptocurrency
“SafeDollar was recently the subject of an exploit that resulted in a loss of 202,230 USDC and 46k USDT,” it said in a post-mortem analysis.
Stablecoins are cryptocurrencies whose aim is to remain stable and have low volatility.
The value of SafeDollar (SDO), an algorithmic stablecoin intended to be pegged to $1, has dropped to zero after a $248K exploit on Polygon.
In a post-mortem analysis published on June 28, SafeDollar reported it had lost $202K of USDC and $46K of USDT as a result of an attack on one of its pools for the deflationary PlexCoin (PLX) token, which burns 0.15% every time a user deposits into the pool. By providing liquidity to the pool, users could farm SDO rewards which, like other stablecoins, were intended to be safer and less volatile than the majority of crypto tokens.
Infinite Mint Exploit
The exploit happened in the PLX version 1 pool.
SushiSwap core developer and security researcher Mudit Gupta took to Twitter to explain what happened.
SDO’s smart contract today are worth around $248,000 in total, according to Cryptoslate, which adds that as a result, SafeDollar’s price — which was supposed to always be equal to $1 since it’s a stablecoin — has plummeted to zero.
“We are finalizing and will announce the Compensation and move Forward Plan in a separate article. We hope this would give a transparent response to the SafeDollar community.
Thank you for your understanding and support of SafeDollar,” it said in the analysis.
See: Diem Coin: What You Need To KnowFind: Skip the Check — Send Crypto for Your Grandkid’s Next Birthday
An exploit is a program, or piece of code, designed to find and take advantage of a security flaw or vulnerability in an application or computer system, typically for malicious purposes such as installing malware, according to Cisco.
