Defunct Swerve Finance still subject of $1.3 million live governance hack

Quick Take

  • The governance attack to steal $1.3 million from Swerve Finance is still ongoing.
  • One blockchain researcher says he has unmasked the person responsible.

Swerve Finance, a defunct Curve Finance clone, is still in the middle of a live governance exploit, viewable on-chain, to steal $1.3 million in stablecoins, and details may have emerged unmasking the alleged exploiter behind the attack.

To recap, someone has been trying to mount a governance attack on Swerve Finance. A governance attack is one in which the hacker takes control of enough voting power to execute proposals designed to steal tokens from a protocol. In Swerve Finance’s case, the attack has been continuing for more than a week.

It began when an address owned by an entity we’ll refer to as "Exploiter A" for the purpose of this article launched the governance attack. This address did so by creating two proposals to transfer ownership of Swerve’s remaining funds — worth $1.3 million — to the attacker’s contract. The exploiter launched this attack with 348,000 of Swerve’s governance tokens but was unsuccessful. This is because the attacker did not have enough tokens to meet the 51% token ownership to pass the proposal.

On-chain data shows exploiter A requesting assistance from another address, which we’ll call "Exploiter B." This new entity soon began voting on the proposal with 102,000 Swerve governance token. The combined voting power between these two entities is still not enough to pass the malicious governance proposal.

Swerve Finance exploiter doxed?

THE SCOOP

Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

Wintermute’s Head of Research Igor Igamberdiev believes he has unmasked the identity of the exploiter. Igamberdiev provided a trail of on-chain evidence, including transactions routed via the sanctioned crypto mixer Tornado Cash, that linked to a specific individual. The analysis links wallet addresses associated with this individual to Exploiters A and B responsible for the governance attack.

Igamberdiev stated that he is “100%” sure the individual is the exploiter, adding, “Timing is the usual heuristic to connect deposits and withdrawals.” For context, timing here refers to the numerous instances where deposits and withdrawals linked to the individual and the two exploiter addresses appear to be connected.

The alleged exploiter did not respond to The Block’s comments as of the time of reporting.

Igamberdiev stated that it was not too late for the exploiter to stop the attack. “Instead, it's possible to help the community protect Swerve from future attacks, for example, by transferring ownership to the null address,” Igamberdiev tweeted.


© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

Osato is a news reporter at The Block as part of the crypto ecosystems team that focuses on DAO governance, staking, blockchain layers, and DeFi. He was previously a news reporter at Cointelegraph. Based in Lagos, Nigeria, he enjoys crosswords, poker, and attempting to beat his Scrabble high score. Follow him on Twitter at @OsatoNomayo.

Editor

To contact the editor of this story:
Madhu Unnikrishnan at
[email protected]