The hacker apparently took advantage of an inherent vulnerability in the ZEED reward distribution code to generate extra tokens and cash in up to $1 million. However, they failed to transfer the tokens from the attack contract before setting it to self-destruct. The exploit caused the price of YEED to crash to zero. “It appears that @zeedcommunity suffered an exploit. The exploiter gained ~$1m. The gains currently sit in the attack contract” PeckShield noted in a Twitter post announcing the incident.
$1 Million Stuck in Smart “Attack” Contract
DeFi hackers often use a type of smart contract known as an attack contract to take advantage of loopholes on crypto platforms. In this case, the hacker successfully exploited the vulnerability on ZEED, but didn’t move the funds before activating the attack contract’s self-destruct protocol. This meant that the tokens were locked in the attack contract and weren’t accessible to anyone. The $1,041,237.57 worth of BTC-USD token that the hacker left in the attack contract self-destructed at 7:15 AM UTC. A detailed analysis of the incident released by ZEED revealed that the hacker triggered the self-destruct function just 15 seconds after the flash loan attack. It is unclear if this was accidental or if the hacker intentionally gave up the ill-gotten gains as a way of showboating.
A Rise in Crypto Hacking
DeFi attacks appear to be rising in frequency. Thankfully, this attack involved just $1 million worth of tokens. Other DeFi protocol exploits have led to colossal losses of cryptocurrencies and digital assets, such as the $600 million theft that affected the Ronin Network in March 2021, and the $182 million stolen from Beanstalk Farms just a few days ago. This is one of the more peculiar DeFi attacks in recent years, though oddities aren’t unheard of. In August 2021, a Polygon hack resulted in over $600 million in stolen cryptocurrency, but the hacker returned $258 million worth of the stolen coins soon after.
Defending Against Future Attacks
Crypto platforms have been quick to up their defenses in response to attacks. In the wake of the hacking of Polygon last year, the Poly Network announced a $500,000 bug bounty program. Similarly, the ZEED ecosystem has responded to this attack by releasing a detailed analysis of the incident showing how the hacker was able to execute the exploit. They also released an eight-step plan to repair bugs in the YEED contract, and generally plug the loophole to prevent a repeat of a similar attack in the future. For now, trading of the YEED smart contract has been closed. This means users cannot withdraw their tokens until trading is relaunched on April 30th.