Avalanche-based lending protocol Nereus Finance continues to be the victim of the crafty hack that saw a person internet $371,000 price of USD Gold coin (USDC) utilizing a smart contract exploit.
Blockchain cybersecurity firm CertiK was among the first to identify the exploit on Sept. 6, indicating the attack impacted liquidity pools on Nereus associated with decentralized exchange Trader Joe and automatic market maker Curve Finance.
CertiK also recommended that underlying protocols themselves were impacted, however, Curve Finance responded via Twitter on Sept. 7, stating “maybe you meant ‘assets impacted,’ not ‘protocols impacted’. Only @nereusfinance and it is assets appear impacted.”
On Sept. 7, Nereus Finance released an in depth publish-mortem from the incident explaining an “exploiter” could deploy a custom smart contract that utilized a $51 million flash loan from Aave to artificially manipulate the AVAX/USDC Trader Joe LP (JLP) pool cost for any single block.
We have printed a publish-mortem around the NXUSD incident from yesterday. https://t.co/ADhu6PagP2
Thanks @peckshield @CertiK— Nereus Finance (@nereusfinance) September 7, 2022
Consequently, the anonymous hacker could mint 998,000 price of Nereus’ native token NXUSD against $508,000 price of collateral. Then they swapped this capital into different assets via various liquidity pools and were able to leave having a internet profit of $371,406 when the flash loan was came back.
The incident ended with to the development of $500,000 of NXUSD “bad debt” within the NXUSD protocol.
The Nereus team states it had been quick to rectify the problem after talking to security experts, creating a minimization plan, and notifying police force, they liquidated and stopped the exploited JLP market.
Unhealthy debt was apparently compensated off using NXUSD in the team’s treasury.
Based on Nereus, the exploit resulted from the “missed step” within the cost calculation, inducing the chance to become exploited. However, it stressed that “no users money is in danger, and NXUSD remains over collateralized” and also the “Lending and Borrowing protocol wasn’t impacted by this exploit.”
Nereus can also be confident exactly the same exploit will not be possible again, because the team will be amending its “audit and security practices to guarantee these kinds of occasions don’t occur later on,” noting:
“While this exploit is really a bad incident — it isn’t uncommon for protocols to manage these kinds of fight tests.”
At this moment, the Nereus team is attempting to recognize the hacker and track the funds and it has offered a 20% White-colored Hat reward for that return from the funds, no questions requested.
Related: Solana-based stablecoin NIRV drops 85% following $3.5M exploit
Regardless of this recent flash loan exploit and many other notable occurrences all year round, CertiK’s August 2022 Monthly Skynet Alerts Report, released on Sept. 2, claims there’s been a notable reduction in these kinds of attacks.
When compared to previous month, August saw a small amount of 95% in flash loan attacks, only producing a total lack of $745,244, the 2nd cheapest this season.
Feb continues to have the cheapest recorded loss from flash loan exploits with simply $200,000.
