Vesting Contract For Polygon DeFi Protocol QiDAO Exploited For $13 Million

Republished By Plato

Followers: 0

Polygon-based DeFi protocol QiDAO fell victim to an exploit of its Superfluid vesting contract on Tuesday, resulting in a loss of approximately $13 million.

The QiDAO protocol allows users to borrow stablecoins at 0% interest against their crypto holdings.

QiDAO acknowledged the exploit via Twitter; however, the team stressed that the vesting contract was exploited through a vulnerability in Superfluid, a smart contracts framework on Ethereum that enables users to transfer assets on-chain, rather than QiDAO itself.

Last year, Superfluid raised $9 million in a seed round from a group of private investors and venture capital firms.

Superfluid’s vesting contract for QI has been exploited.

User funds on QiDao contracts remain safe. The exploit is solely on Superfluid.

We will release an update when we know more.

— Qi Dao (@QiDaoProtocol) February 8, 2022

While QiDAO insists that user funds are safe, crypto analytics SlowMist estimates that hackers managed to get away with more than $13 million in various tokens, including QI, WETH, USDC, SDT, MOCA, STACK, sdam3CRV, and MATIC.

2) After analysis, the attackers exchanged some QI, USDC, SDT, MOCA, STACK for ETH through 1inch; exchanged 39,357.25 sdam3CRV to 43,910.09 amDAI. The attacker’s address (0x157…090 ) currently has a balance of 11,016.60 MATIC, 507,930.87 MOCA, 2,707.91 ETH, and 43,910.39 DAI.

— SlowMist (@SlowMist_Team) February 8, 2022

QiDAO token plummets

The team at Superfluid confirmed it was “notified of a potential exploit of the QiDAO vesting contract that leverages Superfluid code,” adding that it is currently investigating the incident.

Users are also urged to “exercise caution and avoid interactions with Superfluid smart contracts until further notice.”

Following the incident, the price of the QiDAO governance token, Qi, plummeted by more than 70%, from $1.24 to $0.18 before rebounding to $0.70 by press time, according to CoinGecko.

The exploit also comes a day after Polygon, an interoperability and scaling protocol for creating Ethereum-compatible blockchains, raised $450 million in a funding round led by Sequoia Capital India.

Polygon’s native token, MATIC, is up 6.6% over the day, currently changing hands at $1.90 per CoinGecko.

https://decrypt.co/92375/vesting-contract-polygon-defi-protocol-qidao-exploited-13-million