Avalanche (AVAX) based Nereus Finance has suffered a flash loan attack, gifting the hackers $371,000 worth of USD Coin (USDC) on September 6, 2022. Nereus Finance says it’s still working on identifying the bad actors and is offering a 20 percent White Hat reward for the return of the funds, according to a blog post on September 7, 2022.
Nereus Finance Hacked
Despite the ravaging bear market, hackers continue to cash out large sums from DeFi, and Nereus Finance, a decentralized finance lending protocol on the Avalanche (AVAX) blockchain, is the latest platform to get exploited by bad actors.
Per a post-mortem report released by the Nereus protocol team on September 7, a yet-to-be-identified hacker exploited the AVAX/USDC Joe LP NXUSD pool, creating a $500k NXUSD bad debt in the NXUSD protocol at around 10:30 PM UTC on Sept. 6. Nereus wrote:
“At approximately 10:30 PM UTC on September 6th, the Nereus team notified the community of an incident through the community discord; this was later picked up by CertiK and other on-chain analysis groups and reported broadly as a flash-loan exploit resulting in a $371k gain.”
The team says the hacker was able to deploy a custom smart contract, which took advantage of a $51 million flash loan to manipulate the price of the AVAX/USDC Trader Joe liquidity pool, enabling the attacker to mint 998,000 NXUSD against approximately $508k worth of collateral.
Salvaging the Heist
Shedding more light on the attack, Nereus revealed that a ‘missed step’ in the price calculation of its recently introduced collateral types that support AVAX/USDC Trader Joe LP tokens, allowed the attacker to gain entrance into the protocol.
The team further notes:
“The price calculation was based on the current wAvaxReserve price, usdcReserve price, and otalSupplytaken on-chain from the TraderJoe Pool directly without any time-weighted average price mechanism implemented in order to prevent potential single block manipulation.”
After losing $371k to the bad actors, the Nereus team says it quickly consulted security experts, formulated mitigation plans, and engaged the services of law enforcement in a bid to fish out the perpetrators.
Though the hackers are still at large at the time of writing, Nereus Finance says it has paid off the bad debt and it continues to collaborate with law enforcement agents to fish out the attackers. On top of that, the team has also made it clear that it’s offering a 20 percent White Hat reward for them to return the stolen funds.
“In addition, the team will be amending our audit and security practices in order to ensure these types of events do not occur in the future,” the team added.
As of July 2022, the decentralized finance (DeFi) industry has lost a massive $2 billion to bad actors and the menace will not stop anytime soon.
On a brighter note, on September 6, Colony Lab joined forces with Phuture to bring indexed digital assets investing to the Avalanche ecosystem.