Crypto Times Logo Black
Google News Follow Banner
  • News
    • Market
    • Bitcoin
    • Ethereum
    • Altcoins
    • Regulations & Policies
    • DeFi News
    • Blockchain News
    • Industry
  • Exclusive
    ExclusiveShow More
    2 Years of the ₹2,000 Cr WazirX Hack: The Money Never Came Back. Neither Did the Founder
    2 Years of the ₹2,000 Cr WazirX Hack: The Money Never Came Back. Neither Did the Founder
    The Robinhood Chain Paradox Built for Tokenized Stocks, Dominated by Memecoins
    The Robinhood Chain Paradox: Built for Tokenized Stocks, Dominated by Memecoins
    Senators to Brief Trump on CLARITY Act Path - Here's What to Expect
    Senators to Brief Trump on CLARITY Act Path – Here’s What to Expect
    CLARITY Act 5 Fights Still Unresolved Before the Merged Draft Drops
    CLARITY Act: 5 Fights Still Unresolved Before the Merged Draft Drops
    Strategy's Cash Reserve Shift Reveals Weaknesses in Leveraged Bitcoin Balance Sheet_
    Strategy’s Cash Reserve Shift Reveals Weaknesses in Leveraged Bitcoin Balance Sheet
  • Opinion
    OpinionShow More
    The Execution Gap: Why the Next Breakthrough in Financial AI is Human Behavior
    The Execution Gap: Why the Next Breakthrough in Financial AI is Human Behavior
    The Bitcoin Treasury Blueprint What Stress Testing on Strategy Inc.’s MSTR-STRC Reveals
    The Bitcoin Treasury Blueprint: What Stress Testing on Strategy Inc.’s MSTR-STRC Reveals
    Why Wall Street is Divided Michael Saylor’s Scarcity vs. Tom Lee’s Staking Empire
    Why Wall Street is Divided: Michael Saylor’s Scarcity vs. Tom Lee’s Staking Empire
    The Arthur Hayes Paradox Macro Prophet or Market Opportunist
    The Arthur Hayes Paradox: Macro Prophet or Market Opportunist?
    RBI Denies Gold Sale Amid Oil Crisis: Could It Speed Up India's Digital Rupee Push?
    RBI Denies Gold Sale Amid Oil Crisis: Could It Speed Up India’s Digital Rupee Push?
  • Learn
    • Explained
    • How To
    • Insights
  • Videos
  • More
    • About Us
    • Our Authors
    • Contact Us
    • Editorial Policy
The Crypto TimesThe Crypto Times
  • All News
  • Market
  • Bitcoin
  • Ethereum
  • Altcoins
  • Regulations & Policies
  • Blockchain
  • DeFi
  • Industry
  • Exclusive
  • Opinion
Search
  • News
    • Market
    • Bitcoin
    • Ethereum
    • Altcoins
    • Regulations & Policies
    • Blockchain
    • DeFi
    • Industry
    • Exclusive
    • Opinion
  • Learn
    • Explained
    • How To
    • Insights
  • Quick Links
    • About Us
    • Our Authors
    • Contact Us
    • Editorial Policy
    • AI Policy
    • Sponsored & Advertorial Policy
  • Videos
  • Glossary
Follow US
© 2026 By Crypto Times. All Rights Reserved.
DeFi News

Polygon’s Stablecoin Protocol QiDAO Suffers Exploit Worth $13M

Superfluid protocol since then completed the assessment of the hack, identified the involved teams and accounts, and calculated potential losses.

Written By Vismaya V
Published 2022-02-09
Make The Crypto Times preferred on GoogleGoogle
Share
QiDAO Suffers Exploit Worth $13M

In Brief:

  • QiDAO’s Superfluid vesting contract got exploited resulting in a loss of $13M.
  • Superfluid identified the vulnerability and deployed a patch to the Polygon and xDai smart contracts.
  • The protocol offers $1M in bounty to the hackers if they return the stolen funds.

This year started off with multiple exploitations and hack attacks on several crypto platforms and Polygon’s native Stablecoin protocol QiDAO is the latest victim of such an event.

QiDAO’s Superfluid vesting contract got exploited and Superfluid later went on to confirm the same. They informed the users to unwrap all their Super-tokens until further updates.

Today at 6.48am GMT we were notified of a potential exploit of the QiDAO vesting contract that leverages Superfluid code. We are investigating the incident and will keep you updated in this thread and our Discord server.

— superfluid.eth (@Superfluid_HQ) February 8, 2022

Superfluid advised users not to use the smart contracts for the time being. Hours after the event, Superfluid published a blog post discussing the exploitation in detail.

Exploitation Event Breakdown

A hacker used faulty calldata to exploit Superfluid’s host contract, allowing them to create distribution indexes imitating several different accounts that held Super-tokens. 

This flaw allowed the attacker to transfer funds from Superfluid user wallets to Polygon exchanges and then swap to ETH.

SlowMist, a blockchain analytics firm, tracked the hacker’s address and discovered that it had profited more than $13 million.

According to @QiDaoProtocol , the QI Vesting contract on Superfluid has been exploited.

1) After MistTrack analysis, the attacker's address (0x157…090) has made a profit of more than 13 million US dollars, including QI, WETH, USDC, SDT, MOCA, STACK, sdam3CRV and MATIC.

— SlowMist (@SlowMist_Team) February 8, 2022

The hacker stole 11,008 MATIC, 1,507,931 MOCA, 28 ETH, 39,357 sdam3CRV, 19,387,874 QI, 44,581 SDT, 23,653 STACK, and 562,834 USDC in total and all the funds  presently sitting in their wallet.

According to preliminary information, the stolen funds belonged to some of the project’s early backers and included team-vested tokens.

Superfluid reached out to Mudit Gupta, a well-known member of the Ethereum security community and after discussions with him, they managed to find the vulnerability.

A host contract upgrade was then implemented. It has reverted any calls to the ‘callAgreement’ function. This ensured that any subsequent attempts to create agreements would fail, preventing the exploit from being reused.

The team developed a patch to remove the vulnerability and deployed it to the Polygon and xDai smart contracts.

They later tried to replicate the attack on a protocol testnet deployment. Then the team went on to conduct the same attack against the newly patched code on Polygon mainnet, confirming that the host upgrade had rendered this type of exploit impossible in the future.

Recently, Wormhole, a cross-chain token bridge, reported the second largest DeFi attack after Poly Network, on its platform, resulting in a loss of 120,000 wETH. 

AfterMath and Reimbursements

Superfluid completed the assessment of the hack, identified the majority of the involved teams and accounts, and calculated potential losses. 

80% of the affected addresses through a direct transfer of USDC in less than 18 hours since the exploitation. 

The left 20% constitute 90% of the stolen funds, including the larger losses suffered by the QI and MOCA teams. 

The affected users and Superfluid agreed on a longer-term compensation plan which takes into account the full range of available options given the financial circumstances.

Superfluid sent a transaction to the Polygon blockchain with a message, in hopes of negotiating with the attacker. The team offered a $1 million reward if the attackers return the stolen funds.

The attackers have not yet responded and Superfluid is engaging experienced forensic experts to track down the address. 

The hackers used Tornado Cash and the protocol is still determined to track them down because TornadoCash employs total privacy.

Superfluid has stated that it will establish a formal bug bounty programme on February 15, 2022. For vulnerabilities uncovered, the programme will pay up to $200,000 in bounties.

QiDAO Tokens

After hackers began dumping the stolen QI Quickswap DEX with high slippage, the price of QiDAO’s governance token fell 68.5%. 

#Slippage $QI #QiDAO price dropped -68.05% #Polygon https://t.co/CozWr2kwOZ pic.twitter.com/3Fef1PTG4A

— PeckShieldAlert (@PeckShieldAlert) February 8, 2022

At that time, the price dropped from $1.24 to $0.18. Nonetheless, a price recovery can already be seen, as eager investors bought the dip. At the time of posting, the token had dropped 66% in the previous 24 hours and is trading at $0.78.

Disclaimer: The information researched and reported by The Crypto Times is for informational purposes only and is not a substitute for professional financial advice. Investing in crypto assets involves significant risk due to market volatility. Always Do Your Own Research (DYOR) and consult with a qualified Financial Advisor before making any investment decisions.

Follow The Crypto Times on Google News to Stay Updated!      Google News

TAGGED:DAODeFiPolygon
Share This Article
Whatsapp Whatsapp LinkedIn Telegram Copy Link

Latest News

The Crypto Opportunity Hidden Inside India's Historic Vikram-1 Launch
The Crypto Opportunity Hidden Inside India’s Historic Vikram-1 Launch
Brian Armstrong's Profile Pic Drama Sends $BRIAN Memecoin Surging and Crashing 90% on Base
Brian Armstrong’s Profile Pic Drama Sends $BRIAN Memecoin Surging and Crashing 90% on Base
France Escalates to ISP Block After Polymarket Ban Fails to Stop Traffic
France Escalates to ISP Block After Polymarket Ban Fails to Stop Traffic
Bitcoin and The Crypto Market Is Defying Gravity Right Now – Here’s Why
Bitcoin and The Crypto Market Is Defying Gravity Right Now – Here’s Why
Fake Crypto Scam in India Panchkula Police Arrest 3 in ₹3.28 Cr Fraud
Fake Crypto Scam in India: Panchkula Police Arrest 3 in ₹3.28 Cr Fraud

Find Us on Socials

You may also like

Across Protocol Reports First Attack on Solana After $34B in Bridge Volume

Across Protocol Reports First Attack on Solana After $34B in Bridge Volume

Solana Protocol DeFiTuna Hit by $580K Exploit, USDC Pool Left Short

Solana Protocol DeFiTuna Hit by $580K Exploit, USDC Pool Left Short

Polygon Labs Lays Off Staff Ahead of Coinme Integration

Polygon Labs Lays Off Staff Ahead of Coinme Integration

ARK Invest Challenges a16z’s Blockchain Thesis on DeFi Future

ARK Invest Challenges a16z’s Blockchain Thesis on DeFi Future

The Crypto Times Logo PNG

Providing real-time, accurate Crypto reporting. Your trusted source for Crypto News and Research.

Stay Updated

All News
Exclusive
Opinions
Learn
Videos
Glossary

Company

About Us
Our Authors
Editorial Policy
AI Policy
Advertorial Policy

Get In Touch

Contact Us
Career

Find Us on Socials

X-twitter Linkedin Telegram Youtube Instagram

© 2026 The Crypto Times | A BITROCK TECHNOLOGIES L.L.C. Company.

DMCA.com Protection Status
  • Terms and Conditions
  • Disclaimer
  • Privacy Policy
  • Cookie policy
Do Not Sell or Share My Personal Information