Applications and Use Cases

Zabu Exploit Highlights a Growing Problem for DeFi and Blockchain

September 14, 2021

The exploitation of a blockchain DeFi application has resulted in the removal of crypto tokens worth $3.2 million. Zabu Finance, a full-stack DeFi station located on the Avalanche blockchain, was targeted in the exploit. The company's tokens were reduced to zero value as a result of the breach.

After issuing a statement seeking help from Avalanche and other decentralized exchanges hosted on the blockchain, Zabu announced that it had not sold a single Zabu.

"We're under an exploit, possibly from Spore Pool," read the statement. "We're investigating the exploit. Need help Pangolin, Trader Joe, Avalanche.” Pangolin and Trader Joe also reside on the Avalanche blockchain.

The company subsequently discovered the attacker stole assets from a pool of spore tokens that included Wrapped Ether, Wrapped AVAX, Pangolen, Avaware, Tether and JOE. The tokens were worth $3.2 million a the time of the exploit.

Zabu also revealed that the attacker interacted with the blockchain contracts and pulled out 4.5 billion Zabu tokens from Zabu Farm Contract. After dumping other tokens, the culprits successfully stole approximately $600,000.

Zabu and Yield Yak, another DeFi tool hosted on the Avalanche blockchcain advised investors to withdraw their holdings or risk losing them following the exploit. Zabu intends to return tokens to investors based on their balances before and after the attack as part of a remediation effort. The company has also burned the remaining tokens hosted on the blockchain, which were worth around $360,000.

According to analysis from Atlas VPN, DeFi hacks represented 76 percent of all major hacks for the first half of 2021, compared to only 25 percent of hacks in 2020. The analysis revealed the two most common DeFi scams involve outside agents hacking the DeFi protocol and so-called "rug pull scams." These scams often include marketers and a large group of people who inflate the value of a crypto coin, most commonly a new one, and then disappear with investors' money.

"Many DeFi projects get hacked because of developer incompetence which causes coding mistakes that hackers can abuse," wrote Atlas VPN in a blog post about its findings. "Other cybercriminals can take out a flash loan and manipulate the token price to hack the DeFi protocol."

That was the case last month, when DeFi project xToken underwent an attack and lost close to $4.5 million. The hacker used a process of token swaps involving taking out a flash loan from the dYdX decentralized exchange. The loan of 25,000 ETH was worth roughly $81 million, and was used to carry out the attack.

Edited by Luke Bellos



Social media is impacting the value of your cryptocurrency. This cross-platform audit will show how to improve consumer and influencer sentiment.