Team Finance, a DeFi platform used by other projects to lock their liquidity, has become the latest victim of a malicious exploit. This time, the attacker was able to steal $15.8 million worth of liquidity tokens from the project.
Thursday’s hack affected four different DeFi projects. These protocols have seen their liquidity suffer mild to serious drops following the theft. The attack is the latest security incident in the crypto space in October.
Details of the Team Finance Attack
The Team Finance exploit happened because of a flaw in the project’s migration contract, according to blockchain forensics outfit PeckShield. Details given by the security firm state that the attacker exploited the platform’s v2 to v3 migration protocols. V2 and v3 here refer to version two and version three of the Team Finance liquidity locking platform. Some projects’ liquidities are on Team Finance v2 while others are in the v3.
The attacker was able to manipulate the price of some liquidity tokens in the v2 and migrate them to the v3. In doing so, the attacker could then profit off the price disparity. On-chain data from Etherscan shows the attacker targeted four DeFi projects, namely Kondux, Dejitaru Tsuka, Kondux, and CAW (A Hunters Dream). The latter of the four was the most affected of the four projects with $11.5 million of CAW’s liquidity tokens siphoned in the incident. Both CAW and Dejitaru Tsuka seem to be the most affected by the attack with reports that their entire liquidity has been drained.
Team Finance put out a statement on Twitter confirming the attack, stating:
“We have just been alerted of an exploit on Team Finance. We are currently unsure of the details. We urge the exploiter to get in contact with us for a bounty payment We are working to analyze and remedy the situation at this very moment.”
Team Finance also stated that it had paused all activity on its protocol to prevent further attacks. The team stated that user funds are not at further risk of the malicious exploit.
No Stopping Hacktober
October has always been a busy month for crypto security incidents and 2022 is proving to be no different. This month has already seen several high-profile crypto thefts and malicious exploits including attacks against BNB chain and Mango Markets. In both incidents, the attacker was able to siphon more than $100 million each.
The Mango Markets incident caused a stir earlier in October as the project’s community voted to allow the exploiter keep almost half of the siphoned funds. The individual himself also came out later to describe the exploit as a profitable trading strategy that was not illegal. Following the Mango exploit, there have been concerns that malicious actors could target other illiquid tokens and launch similar attacks.
The Mango attack has also brought up the issue of bounties for malicious actors to the fore. While such bounties are usually pegged at 10% of the loot, the Mango attacker got to keep close to half of what was siphoned from the platform.