On Oct. 27, decentralized finance (DeFi) lockup protocol Crew Finance mentioned that over $14.5 million value of tokens had been exploited by means of the Uniswap v2 to v3 migration perform on its platform. As informed by blockchain safety agency PeckShield, the hacker transferred liquidity from Uniswap v2 property on Crew Finance to an attacker-controlled v3 pair with skewed pricing. By locking tokens to the contract, the attacker bypassed current validation mechanisms and pocketed the large leftovers as a refund for revenue.
Uniswap v3 was designed with higher effectivity for liquidity suppliers (LP) than v2 on its decentralized alternate. Nevertheless, v2 sensible contracts are nonetheless operational, and customers should work together with a migration sensible contract emigrate their LP property from v2 to v3. PeckShield estimated that the preliminary assault vector required for this interplay price simply 1.76 Ether (ETH).
Drained property embody USD Coin (USDC), CAW, TSUKA and KNDA tokens, because the liquidity swimming pools had been “moved” to Uniswap v3. On the decentralized alternate, among the affected tokens, resembling CAW, suffered steep value declines as a result of exploit and subsequent liquidity crunch.
Crew Finance mentioned that the sensible contract had been beforehand audited and urged the hacker to “get involved with us for a bounty cost.” In consequence, builders have quickly paused all exercise on the protocol and declare that every one funds on the platform aren’t prone to an extra exploit. Based in 2020, Crew Finance and its guardian agency, TrustSwap, present token liquidity locking and vesting companies for venture executives. The protocol claims to have $3 billion secured throughout 12 blockchains.
With vesting intervals longer than Liz Truss’ employment historical past… https://t.co/1Wo6RwqsFg can maintain you safer than the British financial system this winter!
Lock your tokens at present and maintain the Truss away. pic.twitter.com/QYPhjg7HQo
— Crew Finance (@TeamFinance_) October 21, 2022