Midas Capital suffered a $660,000 exploit after an attacker used a flash loan exploit on a Jarvis Polygon pool. The team has released a postmortem explaining what happened.

DeFi lending and borrowing platform Midas Capital has released a postmortem on the $660,000 exploit it experienced on Jan. 16. Midas Capital paused the borrowing on the Jarvis Polygon pool, which was the source of the exploit. The team said that a suspicious transaction used a recently added collateral token.

POST MORTEM

1/7

We listed WMATIC-stMATIC Curve LP token a few days ago on https://t.co/jyjevMVMyF with supply caps of ~250k and had, not yet announced it

Not long after the exploit, the team released the postmortem. It stated that Midas listed the WMATIC-stMATIC Curve LP token only a few days ago. This was not yet announced and had a supply cap of $250,000.

The Jarvis Network team and Midas Capital were discussing adding new collateral options and placing supply caps to prevent large borrows. This wasn’t enough to prevent the exploit, which was the popular flash loan kind that has plagued the market for years.

The flash loan exploit saw the attacker inflation the price of the LP token, borrowing against it. They made away with over $660,000 of jAssets. The team admitted that it made a judgment error, thinking that the reentrancy would it had seen in the past would not affect the chain’s native ‘raw_call’ function.

The developers have made attempts to recover the funds. They have reached out to the attacker in the hopes that they will return it, offering a bug bounty in return. So far, there have been no updates on whether the attacker has responded.

To the attacker that hit our protocol last night: we've sent a message asking to discuss with us and @Jarvis_Network a bounty on the exploit. If you do see this, please get in touch!https://t.co/EbSDtjBIh1

Meanwhile, the team is looking at other ways to deal with the losses. They are conducting internal processes to prevent a repeat of the attack. It notes that establishing borrowing limits on newly added collateral or having a cooldown period would have limited the attack surface.

The Midas Capital team claims it will focus on exercising caution when adding new collateral and work on developing a risk assessment framework. It also plans to add more checks and balances.

DeFi exploits continue to haunt the market, and these don’t seem to have waned in the past year. In 2022, the value of losses that the crypto and DeFi market hit was $3.9 billion, with ImmuneFi highlighting that there were 168 incidents. Only $204 million was recovered, amounting to 5.2% of the total value.

However, white hat hackers have contributed towards security considerably. They have saved over $20 billion from hacks in 2022, and perhaps this might reduce the value lost in 2023. Even the FBI has chimed in, offering safety tips to DeFi users.

The post Midas Capital Releases $660,000 Exploit Post Mortem, DeFi Attacks Carry Into 2023 appeared first on BeInCrypto.

Similar to Notcoin - TapSwap on Solana Airdrops In 2024

origin »

235 +