In a rare comedic blunder in DeFi exploits, attackers fumbled their heist at the finish line, leaving behind more than $1 million in stolen cryptocurrency.
Just after 8 a.m. UTC on Thursday, April 21, blockchain security and analytics firm BlockSec shared that it detected an attack on Zeed, a little-known DeFi lending protocol that bills itself as a “decentralized finance.” Integrated Ecosystem”.
The attackers exploited a bug in the way the protocol distributes rewards, allowing them to mint additional tokens and then sell them, bringing the price down to zero but netting the attackers over $1 million.
Blockchain analysis firm PeckShield noted that the stolen cryptocurrencies were moved into “attack contracts,” which are smart contracts that automatically and quickly execute to find vulnerabilities.
#PeckShieldAlert Looks like @zeedcommunity is under attack. The exploiters received about $1 million. The proceeds are currently in the attack contract. https://t.co/bSHHGM623Q @peckshield https://t.co/jXVj0oGI8B
— PeckShieldAlert (@PeckShieldAlert) April 21, 2022
However, the attackers were apparently so excited about their successful heist that they forgot to transfer over $1 million worth of stolen cryptocurrency out of their attack contract before setting it to self-destruct, permanent and inexorable. Inversely ensures that funds are never transferred.
interesting. The hacker killed the contract but forgot to transfer the profit. https://t.co/HbS2fiztuc https://t.co/uApZyK8Uym pic.twitter.com/FwpZweNLHU
— PeckShield Inc. (@peckshield) April 21, 2022
Using a blockchain scanner to view the attack contract address revealed that $1,041,237.57 worth of BSC-USD Binance-Peg tokens were permanently stuck in the contract, and it was confirmed that the contract successfully self-destructed at 7:15 a.m. UTC on April 21.
Related: Truth or Fiction? Popular ex-hacker claims to own $7B in BTC
This is one of the more bizarre incidents since the Polygon hacker did “ask me anything” using embedded messages in Ethereum (ETH) transactions after stealing $612 million from the protocol in August 2021. The question-and-answer session revealed that the attackers were hacked “for fun” and believed that “cross-chain hacking is hot.”
This latest hack is on the smaller end of the spectrum in terms of amounts stolen, other DeFi protocol hackers have seen hundreds of millions stolen, like the recent Ronin Bridge hack where attackers stole over $600 million.
Other notable DeFi breaches include the $80 million worth of cryptocurrency stolen from Qubit Finance in January, where attackers tricked the protocol into believing they had deposited collateral, allowing them to mint assets representing bridging cryptocurrencies.
DeFi marketplace Deus Finance was exploited in March when hackers rigged the price of a pair of stablecoins, leaving user funds insolvent, netting the hackers more than $3 million.