QiDAO Loses $13M After Superfluid Vesting Contract Exploit

  • QiDAO has assured users that their funds remain safe, with information suggesting that the stolen $13 million belonged to early backers and investors in QiDAO.
  • Superfluid’s team noted that the attack may have been a “potential protocol layer exploit”, and advised users to unwrap their assets as a precaution.
hacker

Shutterstock

Polygon-based decentralized finance (DeFi) protocol QiDAO has experienced a security breach on its Superfluid vesting contract, loosing $13 million in the process, the platform said on Twitter on 8 February.

A follow-up message from the QiDAO team explained that the vulnerability was not connected to the QiDAO main contracts — which allow users to move assets on-chain in a constant flow, from one wallet to another — but was found in the vesting contract the protocol had deployed using programmable smart contract framework Superfluid. The team also noted that users’ funds remain safe, and that no funds from QiDAO were affected. Superfluid confirmed the exploit on Twitter:

Blockchain data suggests that the attacker was able to steal approximately $13 million worth of cryptocurrencies, including wETH, USDC, SDT, MOCA, STACK, and sdam3CRV. Additional information has also suggested that the stolen funds belonged to early backers and investors in QiDAO, and also team vested tokens.

An update from the Superfluid team claimed the attack could have been a “potential protocol layer exploit”, and the team has now advised users who hold “SuperTokens” to unwrap their assets as a precaution.

Shortly after the exploit, the attacker started dumping QiDAO’s native token QI on Quickswap DEX with high slippage, causing the price of the token to plummet from $1.24 to almost $0.16. Opportunistic traders, however, were quick to buy the dip and propel the governance token reach $0.7 at the time of writing.

Discussion
Related Coverage
Binance Launches $1B Industry Recovery Initiative With 7 Contributors
  • Binance has officially launched its $1 billion industry recovery fund, and said it is ready to set aside another $1 billion in the near future “if the need arises”.
  • Jump Crypto, Polygon Ventures, Aptos Labs, Animoca Brands, GSR, Kronos, and Brooker Group have all joined the fund with a combined contribution of $50 million.
November 25, 2022, 8:16 AM
cz

Binance CEO Changpeng Zhao. CoinDesk

MetaMask Launches Bridge Aggregator Feature
  • MetaMask Bridges was designed to aggregate multiple blockchain bridges in one place, making it easier and more secure for users to transfer their assets from one network to another.
  • The new feature currently supports the Ethereum, Avalanche, BNB Chain, and Polygon blockchains, as well as the Connext, Hop, Celer cBridge, and Polygon Bridge.
Singapore Completes First DeFi Pilot Using Polygon and Aave
  • The Monetary Authority of Singapore successfully completed a cross-currency transaction using DeFi technology as part of its Project Guardian initiative.
  • Singapore’s DBS Bank, Japan’s SBI Digital, and J.P. Morgan all participated in the trials that were conducted on the Polygon blockchain.