Thursday, December 8, 2022
 

Scammer of DeFi Protocol Exploits Walks Away with $371K

  • Nereus Finance, Trader Joe, and Curve Finance were victims of a cunning attack resulting in bad debt of $500k.
  • An exploiter deployed a $51 million flash loan from Aave to manipulate price pools artificially.
  • The bad debt has been paid via the project’s treasury while also offering a 20% White Hat reward on funds recovery.

An avalanche-based lending system, Nereus Finance, was victim to a cunning attack that saw a user profit $371,000 in USDC via a smart contract vulnerability. The assault affected liquidity pools on Nereus, Trader Joe, and automated market maker Curve Finance, according to blockchain cybersecurity firm CertiK, one of the first to identify the issue on Tuesday.

However, Curve Finance countered the tweet stating that the assets were impacted, not its protocol.

According to a detailed post of the incident published by Nereus Finance, an exploiter deployed a custom smart contract that utilized a $51 million flash loan from Aave to artificially manipulate the AVAX/USDC Trader Joe LP (JLP) pool price for a single block.

Consequently, the unidentified hacker was able to create NXUSD, the native token of Nereus, for 998,000 versus $508,000 in security. After repaying the flash loan, they could exchange the money for various assets via many liquidity pools and walk away with a net profit of $371,406.

The Nereus team claimed it acted swiftly to address the issue by consulting security professionals, creating a mitigation strategy, and notifying law enforcement. It ultimately liquidated and suspended the abused JLP market.

According to the report, the event started a bad debt totaling $500,000 in the NXUSD protocol, although the team’s treasury was used to pay off the bad debt. Additionally, the team offers a 20% White Hat reward on funds recovery, promising no further interrogation.

Nereus pledged to amend its “audit and security practices to ensure such events do not occur in the future.” 

  • Nereus Finance, Trader Joe, and Curve Finance were victims of a cunning attack resulting in bad debt of $500k.
  • An exploiter deployed a $51 million flash loan from Aave to manipulate price pools artificially.
  • The bad debt has been paid via the project’s treasury while also offering a 20% White Hat reward on funds recovery.

An avalanche-based lending system, Nereus Finance, was victim to a cunning attack that saw a user profit $371,000 in USDC via a smart contract vulnerability. The assault affected liquidity pools on Nereus, Trader Joe, and automated market maker Curve Finance, according to blockchain cybersecurity firm CertiK, one of the first to identify the issue on Tuesday.

However, Curve Finance countered the tweet stating that the assets were impacted, not its protocol.

According to a detailed post of the incident published by Nereus Finance, an exploiter deployed a custom smart contract that utilized a $51 million flash loan from Aave to artificially manipulate the AVAX/USDC Trader Joe LP (JLP) pool price for a single block.

Consequently, the unidentified hacker was able to create NXUSD, the native token of Nereus, for 998,000 versus $508,000 in security. After repaying the flash loan, they could exchange the money for various assets via many liquidity pools and walk away with a net profit of $371,406.

The Nereus team claimed it acted swiftly to address the issue by consulting security professionals, creating a mitigation strategy, and notifying law enforcement. It ultimately liquidated and suspended the abused JLP market.

According to the report, the event started a bad debt totaling $500,000 in the NXUSD protocol, although the team’s treasury was used to pay off the bad debt. Additionally, the team offers a 20% White Hat reward on funds recovery, promising no further interrogation.

Nereus pledged to amend its “audit and security practices to ensure such events do not occur in the future.” 

 

Latest news