On October 27th, DeFi project Team Finance announced that they had just been alerted about an exploit on its protocol. They said they were investigating the incident and ‘working to analyze and remedy the situation.’ They also requested the exploiter to contact them for a potential bug bounty payment.
Attacker Used 1.76 ETH ($2,700) To Steal Funds Worth $14.5M
An initial analysis by blockchain security firm PeckShield revealed that the attacker targeted liquidity tokens under the custody of Team Finance. The drained assets included CAW (A Hunters Dream), Dejitaru Tsuka (TSUKA), Kondux, and Feg.
Team Finance estimated that $14.5 million was lost, with PeckShield providing an additional estimate of $15.8 million. Most of the stolen funds were CAW tokens worth $11.5 million.
In addition, the PeckShield team stated that the attacker used 1.76 Ethereum, worth around $2,700, withdrawn from FixedFloat, to carry out the attack. The attacker used the funds to transfer liquidity from Uniswap v2 assets on Team Finance to ‘an attacker-controlled new V3 pair with skewed pricing.’ This resulted in the attacker earning a significant profit after completing the process.
The V2 Code Had Been Audited by a Reputable Firm – Team Finance
A day after the exploit, Team Finance issued a statement breaking down the events that led to the exploit. They explained that the attacker had managed to exploit the audited Uniswap v2 to v3 migration function of its protocol. Within an hour of the breach, Team Finance had identified the issue and paused all protocol functions.
They added that the exploited contract had been audited by ‘a reputable audit firm’ and the exploit was not due to ‘any contract upgrade’ by the team. They reiterated that all other contracts, functions, and assets on Team Finance were safe.
Concerning a game plan to resolve the situation, Team Finance stated that they were working with ‘several established security, audit, and blockchain investigation companies to assist with’ solving the issue. They had also initiated contact with the exploiter for possible resolutions. As an additional precaution, the exploiter’s wallet had been blacklisted on Etherscan, and crypto exchanges had been contacted regarding the same.
Attacker Returns $7M of the Stolen Funds, Decides to Keep 10% as a Bug Bounty
In a turn of events, blockchain security firm SlowMist reported on October 31st that the attacker had started returning funds to the projects affected by the exploit. At that time, the attacker had returned $7 million of the stolen tokens and had decided to keep 10% of the funds as a bug bounty for exposing the vulnerability in Team Finance’s code.
A Possible New Trend of ‘Whitehat’ Hackers Exploiting DeFi Protocols for a Bounty
To note is that the Team Finance exploit followed a similar pattern to the Mango Markets attack in mid-October, whereby a hacker manipulated the price of MANGO using $10 million in initial capital and ended up draining $114 million from the DeFi platform.
The attacker later came clean after returning $67 million of the stolen funds and keeping $47 million as a bug bounty for revealing the vulnerability on Mango Markets. The refund and bounty were the results of a governance proposal on MangoDAO initially suggested by the attacker.
Such hacking incidences were why FTX’s founder and CEO, Sam Bankman-Fried, had suggested a cap on bug bounties to limit their impact on the digital asset ecosystem.
Mr. Bankman-Fried had proposed that bug bounties be capped at either $5 million or 5% of the amount stolen and whichever was smaller. His proposals aimed to provide some set of standards in the crypto industry ‘to create clarity and protect customers while waiting for full federal regulatory regimes.’