Hacker uses $2,700 to drain $15.8 million from Team Finance

Quick Take

  • An attacker has exploited flaws in the Team Finance migration function for moving locked liquidity tokens.
  • Today’s attack only required $2,700 on their part.
 

Team Finance has suffered a malicious exploit with the attacker draining $15.8 million worth of tokens from the protocol.

Team Finance is a DeFi platform that helps other projects lock their liquidity. This is done to reduce the risk of what's known as rug pulling — where a project's liquidity is withdrawn, causing the value of the token to crash. 

Today’s attacker targeted the liquidity tokens under Team Finance’s custody, according to PeckShield. The attack affected four projects, namely CAW (A Hunters Dream), Dejitaru Tsuka, Kondux, and Feg. CAW was the most impacted in the incident with the attacker removing $11.5 million worth of its liquidity tokens.

The DeFi liquidity locker confirmed the incident, stating that the attacker exploited its audited version 2 to version 3 migration function. PeckShield stated that the flaw in the migration function allowed the attacker to manipulate the price of liquidity tokens when transferring from v2 to v3. This price skewing allowed the attacker to earn a significant profit after the migration process was completed.

“We have temporarily paused all activity through team finance until we are certain this exploit has been remedied. All funds currently on Team Finance are not at further risk of this exploit,” Team Finance stated.

The attacker used 1.76 ether ($2,700) to launch the attack, PeckShield noted. The attacker’s wallet address still holds the proceeds from the exploit, including $6.43 million in the DAI stablecoin and 880 ETH ($1.36 million).

THE SCOOP

Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

Team Finance also urged the exploiter to get in touch to arrange a bounty payment. Such arrangements are becoming commonplace in the DeFi space amid a spate of recent high-profile hacks and exploits.

Team Finance joins a number of DeFi protocols to suffer malicious exploits in October with the month shaping up to be a record-breaking one for crypto security incidents. Earlier in the month, Mango Markets suffered a $114 million exploit with the attacker claiming that it was simply a “highly profitable trading strategy.”

 

© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

Osato is a news reporter at The Block as part of the crypto ecosystems team that focuses on DAO governance, staking, blockchain layers, and DeFi. He was previously a news reporter at Cointelegraph. Based in Lagos, Nigeria, he enjoys crosswords, poker, and attempting to beat his Scrabble high score. Follow him on Twitter at @OsatoNomayo.

Editor

To contact the editor of this story:
Tim Copeland at
[email protected]