$3.2 million has been stolen from DeFi protocol Zabu in what appears to be the first major hack on the Avalanche ecosystem.
Zabu confirmed the news, stating that the funds were stolen from its SPORE pool.
According to Zabu officials, the attacker exploited the “Transfer Tax” mechanism to mint tokens, causing the price of the token to fall drastically. The attacker exploited a weakness in the contract used by yield farms to issue rewards.
Security firm PeckShield noted that “the same bug happened many times before.”
The malicious actor removed 4.5 billion ZABU tokens from the contract and then proceeded to accumulate LP tokens in other farms on the Avalanche Pangolin and Trader Joe exchanges. The tokens were eventually sold as the hacker made off with the loot.
The firm has set rewards to zero so that users can withdraw funds after realizing that Zabu Farms had been exploited. It now plans to take a snapshot from before the hack and also seek a solution for those that bought in after the exploit.
Zabu is looking to distribute ZABU v2 tokens to those affected and restart the farm as v2 with a Zabu v1 staking pool for those that joined in after the hack. According to the Zabu team:
In that way, people who lost money pre-hack will get distributed the tokens, and continue to support the protocol if they want. For the late buyer (post-hack), they can also participate in the Farm V2 by staking what they’ve bought in a Zabu V1 Staking Pool.
Following the attack, the value of ZABU tokens plummeted to nearly zero, from $0.004 on Sunday to $0.00002 as of press time.
Zabu Finance has now joined a growing list of DeFi protocols that have been exploited in 2021. According to DeFiYield’s REKT database, $1.7 billion has been lost to similar hacks, scams, and rug pulls over the past five years.