In an update earlier today, global tech conglomerate Meta shared news of its latest moves surrounding digital collectibles. From September 29th, subsidiaries Facebook and Instagram will now allow users to link their virtual wallets with their accounts and also share non-fungible tokens. Users Across 100 Countries Can Access New Meta Feature Everyone on @instagram and @facebook can now share their digital collectibles in the US, and on Instagram in the previously announced 100+ countries,” Meta announced in a tweet. https://twitter.com/MetaNewsroom/status/1575486040349245446?s=20&t=TpIDHfYcRCtVRMNrwYhWiA…
On September 12, industrial outlet DeFiPrime revealed Zabu Finance faced a hack. The hacker successfully stole 4.5 billion tokens from a Zabu Farm Contract amounting to $3.2 million.
The transfer of such a large number of tokens eventually caused the price of Zabu tokens down to $0. Zabu Token has also gone ahead to confirm the hack on Twitter. Moreover, the platform asked for help from other known decentralized exchanges hosted on Avalanche, such as Pangolin and Trader Joe.
How the Attacker Circumnavigated Zabu’s System
From the investigation, Zabu Finance got an insight into how the attacker managed the hack. The attacker took the assets from a pool of Spore tokens. According to a source, it contained 106,848 AVE, 23,958.93 JOE, 361,267 USDT, 21,501 PNG, and 23,157 WAVAX.
The hacker took advantage of the vulnerability in the contract used by yield farms to distribute rewards. They were able to interact with the blockchain contracts. Consequently, they pulled out 4.5 billion Zabu tokens from the Zabu Farm Contract. The attacker then dumped all Pangolin LPs, and Trader Joe LPs of Zabu then stole around $600K.
To explain the price drop to zero, it was because of the “Transfer Tax” mechanism. The attacker used it to mint tokens hence causing the tokens price to collapse.
Coping With the Attack
After the attack, Yield Yak, a DeFi tool hosted by Zabu and Avalanche, advised users to withdraw their holdings promptly. It was a measure to help investors avoid accumulating more losses than they already had.
Zabu confirmed that it is planning to revert the situation. It intends to return tokens to its investors, considering the balances before and after the attack. It may take some time to calculate balances from the affected pools, says Avalanche. Hence, they need help from Markr, DeBankl, and Avalanche.
For the new buyers, after the hack, they can participate in the Farm V2. To do this, they can stake what they bought in a Zabu V1 staking pool. So far, Zabu has burned the remaining 93.12 million Zabu tokens worth $360,000.
DeFi Attacks Crisis
The Zabu attack is not the only DeFi attack that has made news this year. It only adds to the growing list. Data from DeFiYield’s REKT has revealed that similar losses amounting to almost $1.6 billion have taken place in the last five years.
It was just at the end of last month, August 30, that hackers attacked xToken. The losses amounted to close to $4.5 million. The attacker took elaborate steps of token swaps to carry out the attack. They involved a flash loan from dYdX for 25,000 ETH, about $81.5 million. It shows how attackers are getting creative and are willing to go to extremes for an attack to work. With DeFi becoming more popular, hackers are fishing for vulnerable projects.