A September 12 tweet by DeFiPrime, an industry outlet, has revealed that Zabu Finance, a decentralized finance protocol, had become the latest victim of a hack, with a whopping $3.2 million loss due to a vulnerability in its contract. This marks the first major attack on Avalanche.
In a follow-up tweet, the protocol confirmed the exploit and noted that the attacker moved the funds from its SPORE pool.
It explained further that the hacker manoeuvred through a vulnerability in the contract used by yield farms for rewards distribution. It also adds that the exploit on the “Transfer Tax” mechanism, which the attack used to mint tokens, caused the tokens price to collapse.
We've been exploited today. What happened?
— Zabu Finance 🔺 (@zabufinance) September 12, 2021
Further explanation by Zabu Finance, a supposed full-stack DeFi station built on the Avalanche network, reveals that the hacker interacted with the contract and used 4.5 billion ZABU tokens to gain liquidity from Pangolin and Trader Joe DEXes, which are other farms on the Avalanche. He sold them all.
After realizing this had happened, ZABU sets the rewards to allow users to withdraw. The team already set a plan to take care of the affected by distributing ZABU v2 tokens and restarting the farm. At the same time, new participants would receive the Zabu v1 staking pool.
According to the team: “In that way, people who lost money pre-hack will get distributed the tokens, and continue to support the protocol if they want. For the late buyer (post-hack), they can also participate in the Farm V2 by staking what they’ve bought in a Zabu V1 Staking Pool.”
It is worth adding that the aftereffect of the ZABU tokens loot has crashed its price to zero or nearly zero. According to data from CoinGecko, the timing was trading at $0.004 on Sunday against today’s $0.00002.
Zabu hack adds to the several DeFi attacks seen so far in the year. A DeFiYield’s REKT database reveals that about $1.6 billion has been lost to similar hacks, scams, and rug pulls in the last half a decade.