2 days ago · 3 min read
Avalanche › DeFi
Avalanche (AVAX) chain’s Zabu Finance sees a $3.2 million exploit
The first major attack in the Avalanche ecosystem leaves Zabu Finance exploited for $3,2 million worth of funds.
The exploited protocol confirmed the attack on Twitter, clarifying that the funds were stolen from its SPORE pool.
“Zabu Team Wallet has not sold a single Zabu. We’re under an exploit, possibly from Spore Pool. We’re investigating the exploit. Need help Pangolin, Trader Joe, Avalanche,” Zabu Finance announced the exploit on Twitter, while reaching out to the network and the popular decentralized exchanges (DEXs).
Zabu Team Wallet has not sold a single Zabu. We're under an exploit, possibly from Spore Pool. We're investigating the exploit. Need help @pangolindex @traderjoe_xyz @avalancheavax pic.twitter.com/lKysK87InM
— Zabu Finance ? (@zabufinance) September 11, 2021
The exploited protocol confirmed that the hacker interacted with the blockchain contract and “successfully pulled out 4,5 billion Zabu tokens from Zabu Farm Contract, dumped all to Pangolin LPs and Trader Joe LPs of Zabu, stole around $600K.”
A blockchain security and data analytics company PackShield reported on Twitter which funds were stolen, estimating the exploited amount to $3.2 million.
— PeckShield Inc. (@peckshield) September 12, 2021
“The same bug happened many times before,” PackShield commented on the vulnerability in the contract used by yield farms to distribute rewards, where native tokens have been reportedly exploited all the way to $0,00.
The removal of a large amount of ZABU tokens drove the price down rapidly.
Prior to the attack, the token was trading at around $0.004, while today it struggles at around $0.0001, according to CoinGecko.
“As all supply is reached in a bad way, we are burning all ZABU in Dev Wallet and Treasury Wallet,” announced the exploited protocol on Twitter.
The protocol advised investors to withdraw their holdings or risk losing their assets to the attacker as they “calmed down people by showing them the team was also a victim and burned all team tokens.”
The Zabu team has announced a plan to return tokens to investors based on a snapshot from before the hack, while also seeking a solution for those that bought in after the exploit.
“In that way, people who lost money pre-hack will get distributed the tokens, and continue to support the protocol if they want. For the late buyer (post-hack), they can also participate in the Farm V2 by staking what they’ve bought in a Zabu V1 Staking Pool,” clarified the team.