- QiDAO’s Superfluid vesting contract got exploited resulting in a loss of $13M.
- Superfluid identified the vulnerability and deployed a patch to the Polygon and xDai smart contracts.
- The protocol offers $1M in bounty to the hackers if they return the stolen funds.
This year started off with multiple exploitations and hack attacks on several crypto platforms and Polygon’s native Stablecoin protocol QiDAO is the latest victim of such an event.
QiDAO’s Superfluid vesting contract got exploited and Superfluid later went on to confirm the same. They informed the users to unwrap all their Super-tokens until further updates.
Superfluid advised users not to use the smart contracts for the time being. Hours after the event, Superfluid published a blog post discussing the exploitation in detail.
Exploitation Event Breakdown
A hacker used faulty calldata to exploit Superfluid’s host contract, allowing them to create distribution indexes imitating several different accounts that held Super-tokens.
This flaw allowed the attacker to transfer funds from Superfluid user wallets to Polygon exchanges and then swap to ETH.
SlowMist, a blockchain analytics firm, tracked the hacker’s address and discovered that it had profited more than $13 million.
The hacker stole 11,008 MATIC, 1,507,931 MOCA, 28 ETH, 39,357 sdam3CRV, 19,387,874 QI, 44,581 SDT, 23,653 STACK, and 562,834 USDC in total and all the funds presently sitting in their wallet.
According to preliminary information, the stolen funds belonged to some of the project’s early backers and included team-vested tokens.
Superfluid reached out to Mudit Gupta, a well-known member of the Ethereum security community and after discussions with him, they managed to find the vulnerability.
A host contract upgrade was then implemented. It has reverted any calls to the ‘callAgreement’ function. This ensured that any subsequent attempts to create agreements would fail, preventing the exploit from being reused.
The team developed a patch to remove the vulnerability and deployed it to the Polygon and xDai smart contracts.
They later tried to replicate the attack on a protocol testnet deployment. Then the team went on to conduct the same attack against the newly patched code on Polygon mainnet, confirming that the host upgrade had rendered this type of exploit impossible in the future.
Recently, Wormhole, a cross-chain token bridge, reported the second largest DeFi attack after Poly Network, on its platform, resulting in a loss of 120,000 wETH.
AfterMath and Reimbursements
Superfluid completed the assessment of the hack, identified the majority of the involved teams and accounts, and calculated potential losses.
80% of the affected addresses through a direct transfer of USDC in less than 18 hours since the exploitation.
The left 20% constitute 90% of the stolen funds, including the larger losses suffered by the QI and MOCA teams.
The affected users and Superfluid agreed on a longer-term compensation plan which takes into account the full range of available options given the financial circumstances.
Superfluid sent a transaction to the Polygon blockchain with a message, in hopes of negotiating with the attacker. The team offered a $1 million reward if the attackers return the stolen funds.
The attackers have not yet responded and Superfluid is engaging experienced forensic experts to track down the address.
The hackers used Tornado Cash and the protocol is still determined to track them down because TornadoCash employs total privacy.
Superfluid has stated that it will establish a formal bug bounty programme on February 15, 2022. For vulnerabilities uncovered, the programme will pay up to $200,000 in bounties.
After hackers began dumping the stolen QI Quickswap DEX with high slippage, the price of QiDAO’s governance token fell 68.5%.
At that time, the price dropped from $1.24 to $0.18. Nonetheless, a price recovery can already be seen, as eager investors bought the dip. At the time of posting, the token had dropped 66% in the previous 24 hours and is trading at $0.78.