Zabu Project Loses $3.2M in Latest DeFi Hack

  • According to security firm PeckShield, the bug used by the attacker is well known, and has been used “many times before”.
  • Zabu has expressed its intentions to return the stolen tokens to investors, based on their balances before and after the exploit.
Cropped view of robber stealing bitcoin from safe

Shutterstock

Avalanche-based decentralized finance (DeFi) protocol Zabu has become the latest victim of an exploit, which saw $3.2 million stolen from the project, Zabu said via its Twitter account on 12 September.

The project assured its investors that the team “has not sold a single Zabu” token, and that the it was experiencing an exploit, on 11 September. It not only said the assets were stolen from Spore Pool, but also asked Avalanche-based decentralized exchanges for help, namely Pangolin and Trader Joe. According to industry outlet DeFiPrime, this could be the first major exploit to happen on the Avalanche blockchain.

After further investigation, the team found that the attacker used the “Transfer Tax” mechanism of the protocol to mint tokens, and then manipulated a vulnerability in the contract, usually used by yield farms to distribute rewards. He first “successfully pulled out 4.5 billion Zabu tokens from Zabu Farm Contract”, which he then used to acquire liquidity provider tokens from Pangolin and Trader Joe, which were then sold for profit. Security firm PeckShield said the hacker used an already known bug, which has “happened many times before”.

Investors have already been advised by Zabu and Yield Yak, an Avalanche-hosted DeFi tool, to withdraw their holdings, or risk losing their assets. Zabu also declared its intention to return any stolen tokens to investors, based on their balance before and after the hack. The project, however, said that the snapshot process could take some time, as they needed to calculate “balances of Zabu Holders, Farm Stakers (for Zabu-related Pools) and AutoFarm Stakers (for Zabu-related Pools)”.

While this could be the first large exploit on Avalanche, it is just the latest in a long list of DeFi projects loosing their tokens. According to DeFiYield’s “REKT Database”, around $1.6 billion have been lost in DeFi hacks, scams, and rug pulls over the last 5 years.

Discussion
Related Coverage
MetaMask Launches Bridge Aggregator Feature
  • MetaMask Bridges was designed to aggregate multiple blockchain bridges in one place, making it easier and more secure for users to transfer their assets from one network to another.
  • The new feature currently supports the Ethereum, Avalanche, BNB Chain, and Polygon blockchains, as well as the Connext, Hop, Celer cBridge, and Polygon Bridge.
November 9, 2022, 5:11 PM
Hand holding mobile phone with MetaMask app running and MetaMask logo in background

Shutterstock

Avalanche Foundation Launches $290M Subnet Incentive Program
  • The Avalanche Foundation’s “Metaverse” program aims to accelerate the adoption and growth of the Avalanche network subnet functionality.
  • The first two projects selected for the program are an NFT gaming project, and an institutional DeFi initiative with a native KYC functionality.
Grim Finance Suffers Reentrancy Attack, Loses $30M
  • The hacker made five deposits into the vault while the first was being processed by exploiting the protocol’s vault contract.
  • The project quickly paused its vaults, but not before the attacker stole around $30 million worth of digital assets, causing Grim Finance’s TVL to fall to $4 million.