An Avalanche-based lending protocol Nereus Finance is the latest victim of a smart contract exploit as the hacker walks away with a net $371K worth of USD Coin (USDC).
The exploit was first reported by CertiK, a blockchain cybersecurity firm on September 6. The firm indicated that the attack impacted liquidity pools on Nereus relating to decentralized exchange Trader Joe and automated market maker Curve Finance.
CertiK also claimed that the underlying protocols themselves were impacted. However, Curve Finance quickly cleared that up by responding, “maybe you meant ‘assets impacted,’ not ‘protocols impacted’. Only @nereusfinance and its assets seem impacted.”
A detailed post-mortem of the incident was posted by Nereus Finance on September 7, which stated that an exploiter was able to deploy a custom smart contract that utilized a $51 million flash loan from Aave to artificially manipulate the AVAX/USDC Trader Joe LP (JLP) pool price for a single block.
This resulted in the exploiter minting 998,000 worth of NXUSD (Nereus’ native token) against a collateral worth $508,000. The exploiter then swapped this capital with different assets via various liquidity pools and managed to walk away with a net profit of $371,406 once the flash loan was returned.
Nereus Finance says that they reacted quickly and consulted security experts, developed a mitigation plan and informed law enforcement. They also liquidated and paused the exploited JLP market.
Also Read: What are Flash Loan Attacks in Crypto?
The incident left the NXUSD protocol with a bad debt due to the creation of $500,000 of NXUSD. The team said that it paid off the bad debt with NXUSD from its own treasury. The team also announced that the lending and borrowing protocol ‘was not affected by this exploit.’
The post-mortem states that the incident happened because of a missed step in the price calculation resulting in the opportunity to be exploited.
Nereus Finance reassured users that the team will amend its “audit and security practices in order to ensure these types of events do not occur in the future.”
The Nereus team says that they are working on identifying the exploiter and are offering a “20% White Hat reward for the return of the funds.”
Read Also: Coinbase Users in Georgia Exploit Mispricing to Gain 100x Profit
