Hackers appear to have spent as little as 1.76 Ether to initiate the attack vector.
On Thursday, decentralized finance, or DeFi, lockup protocol Team Finance said over $14.5 million worth of tokens were exploited though the Uniswap V2 to V3 migration function on its platform. As told by blockchain security firm PeckShield, the hacker transferred liquidity from Uniswap V2 assets on Team Finance to an attacker-controlled V3 pair with skewed pricing. By locking tokens to the contract, the attacker bypassed existing validation mechanisms and pocketed the huge leftovers as refund for profit.
Uniswap V3 was designed with better efficiency for liquidity providers (LP) than V2 on its decentralized exchange. However, V2 smart contracts are still operational, and users must interact with a migration smart contract to migrate their LP assets from V2 to V3. PeckShield estimates that the initial attack vector required for this interaction costed just 1.76 Ether (ETH).
Drained assets include USD Coin, CAW, TSUKA, and KNDA tokens, as the liquidity pools were 'moved' to Uniswap V3. On the decentralized exchange, some of the affected tokens, such as CAW, suffered steep price declines due to the exploit and subsequent liquidity crunch.
Team Finance says that the smart contract had been previously audited and urged the hacker to "get in contact with us for a bounty payment." As a result, developers have temporarily paused all activity on the protocol and claim that all funds on the platform are not at risk of further exploit. Founded in 2020, Team Finance and its parent firm TrustSwap provides token liquidity locking and vesting services for project executives. The protocol claims to have $3 billion secured across 12 blockchains.
With vesting periods longer than Liz Truss' employment history... https://t.co/1Wo6RwqsFg can keep you safer than the British economy this winter!
— Team Finance (@TeamFinance_) October 21, 2022
Lock your tokens today and keep the Truss away. pic.twitter.com/QYPhjg7HQo