103 Interactions, 2 Today
Zabu confirmed that the attacker successfully extracted 4.5 billion tokens from the Zabu Farm Contract and stole around $600,000.
Zabu Finance, a DeFi application on the Avalanche blockchain, has apparently been hacked for $3.2 million in crypto tokens. After a huge number of tokens were removed, the value of Zabu tokens was decreased to zero.
Zabu Finance announced the exploit by asking for help from Avalanche and popular Avalanche-hosted decentralized exchanges such as Pangolin and Trader Joe:
“Zabu Team Wallet has not sold a single Zabu. We’re under an exploit, possibly from Spore Pool. We’re investigating the exploit. Need help Pangolin, Trader Joe, Avalanche.”
Based on further investigation, Zabu found the attacker stole the assets from a pool of Spore tokens which, according to the blockchain explorer, included 402.9 Wrapped Ether (WETH), 23,157 Wrapped AVAX (WAVAX), 21,501 Pangolen (PNG), 106,848 Avaware (AVE), 361,267 Tether (USDT) and 23,958.93 JOE (JOE), all amounting to $3.2 million at the time of exploit.
The attacker was able to connect with the blockchain contracts and “successfully pulled out 4.5 billion Zabu tokens from Zabu Farm Contract, dumped all to Pangolin LPs and Trader Joe LPs of Zabu, stole roughly $600K,” according to Zabu. Soon after the flaw was discovered, Zabu and Yield Yak, an Avalanche-hosted DeFi application, warned investors to liquidate their shares or risk losing their assets to the attacker.
As a part of remediation, Zabu intends to return tokens to investors based on their balances before and after the hack:
“The process of Snapshot might take time as we need to calculate balances of Zabu Holders, Farm Stakers (for Zabu-related Pools) and AutoFarm Stakers (for Zabu-related Pools). We might need help Markr, DeBank and Avalanche.”
Zabu also burnt the remaining 93.12 million Zabu tokens, totalling $360,000.
On August 30, another DeFi project, xToken, disclosed a cyberattack that resulted in a $4.5 million loss. According to Cointelegraph, the hacker went through a complex token swap process, including obtaining a flash loan from the dYdX decentralised exchange for 25,000 ETH (about $81 million) to carry out the operation.
Following this, xToken discontinued the xSNX product, citing “large surface area for vulnerabilities.”