Avalanche-based decentralized finance (DeFi) protocol Zabu has become the latest victim of an exploit, which saw $3.2 million stolen from the project, Zabu said via its Twitter account on 12 September.
The project assured its investors that the team “has not sold a single Zabu” token, and that the it was experiencing an exploit, on 11 September. It not only said the assets were stolen from Spore Pool, but also asked Avalanche-based decentralized exchanges for help, namely Pangolin and Trader Joe. According to industry outlet DeFiPrime, this could be the first major exploit to happen on the Avalanche blockchain.
After further investigation, the team found that the attacker used the “Transfer Tax” mechanism of the protocol to mint tokens, and then manipulated a vulnerability in the contract, usually used by yield farms to distribute rewards. He first “successfully pulled out 4.5 billion Zabu tokens from Zabu Farm Contract”, which he then used to acquire liquidity provider tokens from Pangolin and Trader Joe, which were then sold for profit. Security firm PeckShield said the hacker used an already known bug, which has “happened many times before”.
Investors have already been advised by Zabu and Yield Yak, an Avalanche-hosted DeFi tool, to withdraw their holdings, or risk losing their assets. Zabu also declared its intention to return any stolen tokens to investors, based on their balance before and after the hack. The project, however, said that the snapshot process could take some time, as they needed to calculate “balances of Zabu Holders, Farm Stakers (for Zabu-related Pools) and AutoFarm Stakers (for Zabu-related Pools)”.
While this could be the first large exploit on Avalanche, it is just the latest in a long list of DeFi projects loosing their tokens. According to DeFiYield’s “REKT Database”, around $1.6 billion have been lost in DeFi hacks, scams, and rug pulls over the last 5 years.