An attacker stole at least $370,000 worth of USDC stablecoins from a smart contract on the Avalanche blockchain in a flash loan attack, affecting multiple liquidity providers.
Avalanche says the incident does not point to an issue on the Avalanche network but is “an issue with the smart contract built on the network. An analogue would be Gmail having an issue, rather than the internet itself,” a spokesperson for the company tells Information Security Media Group.
Flash loans are fast, uncollateralized cryptocurrency loans, where a user can borrow and repay funds within one transaction. The attacker exploited a vulnerability in the smart contract in question, called CauldronV2, to manipulate the exchange rate of the stablecoin, says blockchain security firm CertiK.
The attack affected lending protocol Nereus Finance, decentralized exchange Trader Joe and automated market maker Curve Finance, all of which run on the Avalanche blockchain, CertiK says.
Nereus Finance says it is executing a post-attack recovery process and declined ISMG’s request for additional details. The company details in a blog how the attack created a $500,000 NXUSD bad debt in its protocol.
Nereus is a lending protocol with multiple markets. One specific market is the AVAX/USDC Joe LP NXUSD market, which was attacked to incur $500,000 NXUSD bad debt, according to PeckShield, which supported Nereus with the investigation. NXUSD is a USD-pegged stablecoin minted by Nereus Finance.
The attacker “used a $51 million flash loan to manipulate the AVAX/USDC Trader Joe LP pool price and simply deposited the $508,000 worth of collateral to mint 998,000 NXUSD, hence incurring a $500,000 NXUSD bad debt,” the spokesperson says.
Nereus says it paused the exploited market, consulted security experts to develop a mitigation plan and notified law enforcement. “No users funds are at risk … In addition, no part of the lending and borrowing protocol was ever at risk,” it says.
The company has since fixed the vulnerability and paid off the bad debt using its own funds, and it looks to amend its audit and security practices to ensure no recurrence of such attacks. It continues to trace the thief, the company says, but has also offered the attacker a 20% “no questions asked” white hat reward if they return the funds.
“While this exploit is a bad incident, it’s not uncommon for protocols to face these types of battle tests. As we are about to aggressively expand, we will continue to invest in our capabilities and risk mitigation strategies,” Nereus says.
Meanwhile, the attacker appears to have transferred the funds from the Avalanche blockchain to the Ethereum network, says Martin Hiesboeck, head of research at cryptocurrency financial services provider Uphold Inc, citing on-chain data from Avalanche explorer Snowtrace.io.