Superfluid vesting contract targeted in a complex attack
Stablecoin protocol Qi Dao on the Polygon blockchain took to Twitter on Tuesday, February 8, to inform the community about an exploit of the Superfluid vesting contract. Additionally, Qi Dao assured users that funds were safe and no funds from Qi Dao had been affected.
Superfluid also confirmed the exploit on Qi Dao and said it was analyzing the situation and would update soon. It is vital to note that the exploit was carried out using a vulnerability in a Superfluid contract, and Qi Dao wasn’t exploited. As said, Qi Dao exists on the Polygon blockchain as a stablecoin protocol. It enables users to move assets on-chain in a real-time constant flow from one wallet to another. For example, $1000 would move from one wallet to another at a rate of $10 every day.
Team tokens taken
Early reports suggested that the stolen funds belonged to some of the project’s early supporters and included team-vested tokens. The exploit led to Qi Dao’s QI token dropping 65% in price. From $1.24 to $0.27 as the hackers dumped QI with high slippage on the leading Polygon exchange QuickSwap. Since the exploit was announced, the price has started to recover, climbing back to $0.78 at the time of writing as investors took an opportunity to buy the dip.
Although user’s funds are unaffected, the hackers managed to walk away with over $20 million worth of tokens including 562,000 USDC, 24 wETH, 44,000 Stake DAO (SDT), 1.5 million Museum of Crypto Art (MOCA), and more.
Thanks to analytics firm SlowMist we can see the extent of the hacker’s activity more clearly. After analyzing the wallet transaction data, it was estimated that the hackers managed to steal about $13 million in crypto.
Token bridges under stress
The exploit arrives just a few days after the Polygon Network raised $450 million in a funding round led by Sequoia Capital India, featuring investment from venture capital firms like Softbank Vision Fund 2, Galaxy Digital, and Tiger Global. However, the news about the exploit hasn’t affected the token price of Polygon’s native MATIC token as it is widely recognized the error lay with the Superfluid vesting contract and not Polygon itself.
This is the third notable smart contract attack in under two weeks. On January 28, Qubit Finance, a DeFi protocol on Binance Smart Chain, saw hackers exploit its token bridge for $80 million. Then on February 3, hackers targeted the Solana Wormhole bridge and walked away with $321 million in tokens.
Ethereum founder Vitalik Butterin has recently expressed concern about token bridges, more specifically warning of their vulnerability in the event of 51% attacks. His comments arrived as more low-cost EVM-compatible Layer-1 networks, like Polygon, seek to capitalize on Ethereum’s high gas fees. He has a strong point, given that cross-chain protocols were among those hit hardest by hackers in 2021 with the trend continuing into 2022.
The above does not constitute investment advice. The information given here is purely for informational purposes only. Please exercise due diligence and do your research. The writer holds ETH, BTC, AGIX, HEX, LINK, GRT, CRO, OMI, IMMUTABLE X, GALA, AVASTR, GMEE, CUBE, RADAR, FLOW, FTM, BNB, SPS, WRLD, ATOM, and ADA.