Nereus Finance, an Avalanche-based lending protocol, allows users to invest $371,000 worth of USD coins (USDC) using smart contract exploits.
Blockchain cybersecurity firm CertiK was one of the first to detect an exploit on Tuesday, linking the attacks to decentralized exchange (DEX) Trader Joe’s and automated market maker Curb Finance. It shows that it has impacted the liquidity pool of Nereus.
CertiK also suggested that the underlying protocol itself was affected. However, Curve Finance responded on his Twitter on Wednesday, saying, “You probably meant ‘affecting assets’ rather than ‘protocols affected’. It looks like only @nereusfinance and their assets are affected.” .”
On Wednesday, Nereus Finance will Detailed In the post-mortem analysis of the incident, the “exploiter” $51 million flash loan From Arve, who manipulates the avalanche artificially (Avax)/USDC Trader Joe LP (JLP) Single block pool price.
—Nereus Finance (@nereusfinance) September 7, 2022
As a result, anonymous hackers were able to mint 998,000 worth of Nereus’ native token NXUSD against $508,000 worth of collateral. They were then able to exchange this capital for other assets through various liquidity pools and earn a net profit of $371,406 once the flash loan was repaid.
The incident ended with the creation of $500,000 of NXUSD “bad debt” on the NXUSD protocol.
The Nereus team says they were quick to remedy the situation. After consulting security experts, developing a mitigation plan, and notifying law enforcement, he liquidated and suspended his exploited JLP market.
The bad debt was reportedly paid off using NXUSD from the team’s Treasury.
According to Nereus, the exploit was the result of a “missed step” in the price calculation, giving it an opportunity to be exploited. However, it emphasized that “no user funds were at risk and NXUSD continues to be over-collateralised,” and that “the borrowing and lending protocol was unaffected by this exploit.”
Nereus is also confident that the same exploit won’t happen a second time, and the team “will amend our auditing and security practices to prevent this type of event from happening in the future.” says.
“This exploit is a bad incident, but it’s not uncommon for protocols to face this kind of combat testing.”
As of this writing, the Nereus team is attempting to identify the hackers and track the funds, offering a 20% white hat reward for returning the funds (no questions asked).
Despite this recent flash loan abuse, A few other notable incidents Throughout the year, CertiK’s August 2022 Monthly Skynet Alert Report, release It claims that on September 2nd, these types of attacks dropped significantly.
Compared to the previous month, flash loan attacks fell by 95% in August, bringing total losses to $745,244, the second lowest of the year.
Flash loan abuse losses in February remained a record low of $200,000.