Hacker uses $2,700 to drain $15.8 million from Team Finance

Quick Take

  • An attacker has exploited flaws in the Team Finance migration function for moving locked liquidity tokens.
  • Today’s attack only required $2,700 on their part.
 

Team Finance has suffered a malicious exploit with the attacker draining $15.8 million worth of tokens from the protocol.

Team Finance is a DeFi platform that helps other projects lock their liquidity. This is done to reduce the risk of what's known as rug pulling — where a project's liquidity is withdrawn, causing the value of the token to crash. 

Today’s attacker targeted the liquidity tokens under Team Finance’s custody, according to PeckShield. The attack affected four projects, namely CAW (A Hunters Dream), Dejitaru Tsuka, Kondux, and Feg. CAW was the most impacted in the incident with the attacker removing $11.5 million worth of its liquidity tokens.

The DeFi liquidity locker confirmed the incident, stating that the attacker exploited its audited version 2 to version 3 migration function. PeckShield stated that the flaw in the migration function allowed the attacker to manipulate the price of liquidity tokens when transferring from v2 to v3. This price skewing allowed the attacker to earn a significant profit after the migration process was completed.

“We have temporarily paused all activity through team finance until we are certain this exploit has been remedied. All funds currently on Team Finance are not at further risk of this exploit,” Team Finance stated.

The attacker used 1.76 ether ($2,700) to launch the attack, PeckShield noted. The attacker’s wallet address still holds the proceeds from the exploit, including $6.43 million in the DAI stablecoin and 880 ETH ($1.36 million).

THE SCOOP

Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy