Avalanche DeFi Staking Platform Flash-Loan Exploit
On Sept. 7, Nereus Finance released a well-detailed post-mortem of the incident explaining.
In the latest Avalanche-based Defi staking platform – Nereus Finance suffered a flash loan attack worth as much as USD 370,000 worth of USD Coin (USDC). Decentralized exchange (DEX) Trader Joe and Defi platform Curve Finance are also believed to have been impacted by the event that was executed around 3:26 pm ET on September 6.
We've published a post-mortem on the NXUSD incident from yesterday. https://t.co/ADhu6PagP2
— Nereus Finance (@nereusfinance) September 7, 2022
Thanks @peckshield @CertiK
On Sept. 7, Nereus Finance released a well-detailed post-mortem of the incident explaining:
An exploiter was able to deploy a custom smart contract and that leveraged a $51M flash loan to manipulate the AVAX/USDC Trader Joe LP pool price for a single block resulting in the ability for the exploiter to mint 998,000NXUSD against ~$508k worth of collateral.We recently launched one of our newest collateral types, supporting AVAX/USDC Trader Joe LP tokens. However, there was a missed step in the price calculation resulting in the opportunity to be exploited.The price calculation was based on the current wAvaxReserve price, usdcReserve price, and totalSupply taken on-chain from the TraderJoe Pool directly without any time weighted average price mechanism implemented in order to prevent potential single block manipulation.
According to CertiK's August 2022 Monthly Skynet Alerts Report, released on Sept. 2, claims there has been a notable decrease in these types of attacks.
So far in 2022, ~ $2,338,910,183 billion has been lost to various scams and exploits in the Web3 world and a total of ~377 attacks were recorded this year. Just like in July, August has seen the same number of major incidents with 31 major attacks recorded. On the other hand, exit scams, flashloans, Discord, and NFT scams have all decreased compared to last month’s. Out of the 44 exploits recorded this month, 33 were deemed exit scams, 7 were analyzed as flashloan attacks, and 4 fell into other incident categories.