The latest decentralized finance (DeFi) protocol to suffer at the hands of bad actors is vault management platform Visor Finance.
In an incident report on June 20, the DeFi protocol revealed that an attacker had obtained access to an account that managed some of its admin functions.
DeFi exploits abound
The malicious actor was able to withdraw funds from deposits that were yet to be placed into the liquidity provider positions, it added.
Visor reported that the amount stolen equated to around 16.7% of its total value locked of $3 million, or around $500,000. It confirmed that the hacker was not a member of the team and therefore lacked a full understanding of its emergency withdrawal safeguards,
“Stolen funds were thus limited to un-positioned assets and thus the $500k number was not arbitrary.”
Visor Finance confirmed that it used its treasury stash to replace what had been stolen before detailing how it happened.
Admin account compromised
Visor Protocol offers something called a Smart Vault which is a non-fungible token (NFT) vault for users to mint and deposit assets into. This is then used to interact with a “Hypervisor” – a smart contract that connects assets in the vault to external DeFi protocols.
It was the Hypervisor that was compromised during the incursion and the team has admitted that it was at fault for having single admin access and not a multi-signature account.
“But with that said, our mistake was not using a multisig account for all admin functions of the Hypervisor. This has since been corrected.”
Visor stated that it was initially designed this way as it was not practical to have multiple signatures for managing frequent rebalancing on multiple pairs every time a rebalance was needed. An emergency withdraw function was implemented to test the Hypervisors pending a protocol audit as a safeguard in case funds needed to be rescued, it added.
The DeFi protocol confirmed that the smart contracts themselves were not exploited and industry standard practices will be employed going forward.
“We realize the importance of permission management and will only adopt industry standards and best practices now and going forward. We recognize this is a particularly complex design space since it is dealing with both active management and safety of funds.”
Last week, DeFi protocol Iron Finance suffered heavy losses due to what it described as a ‘crypto bank run’.
VISR token price tanks
The protocol’s native token tanked 64% at the time of the incident on June 19, plunging from $0.95 to $0.34 according to CoinGecko.
At the time of writing, VISR was trading at $0.51, down 55% on the week and 87% since its May 5 all-time high of $4.11. The total value locked is around $1.2 million according to DeFi Llama, a slump of 66% from its all-time high of $3.5 million on June 17.