- Attacker borrowed assets using a flash loan and inflated collateral value to deplete the pool of liquidity
- QuickSwap attributed the exploit on a Market XYZ platform vulnerability linked to Curve
QuickSwap, a DeFi lending service running on Polygon, terminated operation for users after suffering a flash loan exploit on Monday. More than $220,000 worth of tokens was lost, CoinDesk wrote.
Setup of the attack
According to blockchain data, the cybercriminal executed a textbook attack, borrowing assets using a flash loan and inflating the collateral value to deplete the pool of liquidity.
Among the tokens stolen were LDO, MATIC, and staked MATIC. They were exchanged on Tornado Cash for other tokens yesterday afternoon. QuickSwap tweeted:
QuickSwap Lend is closing. $220k was exploited in a flash loans attack due to a vulnerability with the Curve Oracle.
Tokens lost in a single transaction
Some DeFi networks provide flash loans without asking for collateral. The only requirement to take out a loan is to pay it back in the same transaction. In this case, the criminal stole the tokens in just one transaction.
Cause of vulnerability
At first, QuickSwap attributed the exploit on a Market XYZ platform vulnerability. They alleged that the platform had been using faulty oracles from QiDao, a stablecoin issuer, and DeFi protocol Curve. QiDao denied the accusation, stating the attack was not related to its smart contracts.
Oracles retrieve data from outside sources and give blockchain networks information. October 2022 has been the worst month for exploits in history. This attack is the latest in an increasing series of exploits with a week left to go until the month finally ends.
