On Sept 12, industry outlet DeFiPrime tweeted that Zabu Finance had been exploited for $3.2 million in what could be the first major attack on Avalanche.
The protocol followed up with a tweet of its own confirming the exploit and that the funds were stolen from its SPORE pool;
“Zabu Team Wallet has not sold a single Zabu. We’re under an exploit, possibly from Spore Pool. We’re investigating the exploit. Need help,”
It added that the attacker exploited the “Transfer Tax” mechanism of the protocol to mint tokens causing the price to collapse. The attacker manipulated a vulnerability in the contract used by yield farms to distribute rewards. Security firm PeckShield commented “the same bug happened many times before,”
Snapshot, launch v2, move on
Zabu Finance, which describes itself as a full-stack DeFi station on Avalanche, explained that the attacker interacted with the contract to remove 4.5 billion ZABU tokens to accrue liquidity provider tokens in other farms on the Avalanche Pangolin and Trader Joe DEXes. Those were then sold as the hacker made off with the loot.
Zabu set the rewards to zero so that users could withdraw funds after realizing that the Zabu Farms had been exploited. The team now plans to take a snapshot from before the hack but also seek a solution for those that bought in after the exploit.
It will distribute ZABU v2 tokens to those affected and restart the farm as v2 with a Zabu v1 staking pool for those that aped in after the hack.
“In that way, people who lost money pre-hack will get distributed the tokens, and continue to support the protocol if they want. For the late buyer (post-hack), they can also participate in the Farm V2 by staking what they’ve bought in a Zabu V1 Staking Pool.”
ZABU prices collapse
The removal of so many ZABU tokens caused prices to collapse to zero (or close to it). They were trading at around $0.004 on Sunday and are pretty much worthless today ($0.00002) according to CoinGecko.
Zabu Finance is the latest in a long list of dubious DeFi protocols that have been exploited in 2021. According to DeFiYield’s REKT database, $1.6 billion has been lost to similar hacks, scams, and rug pulls over the past 5 years.