On October 27, Team Finance made an announcement that proved to be the worst nightmare for the protocol users.
The lockup protocol team that is operating in the decentralized finance environment, reported that they had suffered an exploit.
Exploit Worth $14.5 Million
As communicated by the officials at Team Finance, they ended up suffering from an exploit that cost them $14.5 million.
The $14.5 million they lost were in the form of cryptocurrencies and they lost it during the platform migration. The platform was reportedly switching from v2 to v3 of Uniswap.
This is when the hackers intervened and they were able to exploit the migration function. This ended up helping the hackers exploit such a large amount from their protocol.
How the Exploit Took Place
The investigation and the security firm PeckShield, looking into the exploit have already shared their initial findings.
According to the firm, the hackers were able to transfer the assets’ liquidity from Uniswap v2 to v3. The receiving end was already controlled by the hackers.
By using the contract locking tactic, the attacker was able to bypass the validation mechanisms that are already existing on the platform.
As they were able to gain access to the v3 of Uniswap, they ended up running away with the leftovers. The systems recognized them to be profit refunds.
The purpose of introducing the v3 of Uniswap was to replace v2 because the newer version is much faster and offers great efficiency. Out of all the uses, the major use v3 would offer is high efficiency.
V2 Smart Contracts are Still Operational
The officials have confirmed that the v2 smart contracts are still operational. In order for the users to move their LP assets to v3 from v2, it is needed that they use the migration smart contract.
According to the investigative teams at PeckShield, the vector required for the initial attack was just 1.76 Ether. The hackers used that to interact with the protocol and carry out their exploit.
Tokens Exploited by the Hackers
As the hackers gained access to the platform, they started to drain out the digital tokens. The tokens that the hackers exploited were KNDA, TSUKA, CAW, and USD Coin.
These tokens were drained by the exploiters as the migration of the liquidity pools was taking place from v2 to v3.
Following the exploit, the trading price of CAW saw a significant decline on the Uniswap exchange. The same token ended up facing the worst liquidity crunch on that particular day.
The Team Finance officials have stated that they had already carried out the audit of the smart contract. They had already reached out to the hackers to try and test if they could operate the patient.