On Oct. 27, decentralized finance (DeFi) lockup protocol Team Finance said that over $14.5 million worth of tokens were exploited through the Uniswap v2 to v3 migration function on its platform. As told by blockchain security firm PeckShield, the hacker transferred liquidity from Uniswap v2 assets on Team Finance to an attacker-controlled v3 pair with skewed pricing. By locking tokens to the contract, the attacker bypassed existing validation mechanisms and pocketed the huge leftovers as a refund for profit.
Uniswap v3 was designed with better efficiency for liquidity providers (LP) than v2 on its decentralized exchange. However, v2 smart contracts are still operational, and users must interact with a migration smart contract to migrate their LP assets from v2 to v3. PeckShield estimated that the initial attack vector required for this interaction cost just 1.76 Ether (ETH).
Drained assets include USD Coin (USDC), CAW, TSUKA and KNDA tokens, as the liquidity pools were “moved” to Uniswap v3. On the decentralized exchange, some of the affected tokens, such as CAW, suffered steep price declines due to the exploit and subsequent liquidity crunch.
Team Finance said that the smart contract had been previously audited and urged the hacker to “get in contact with us for a bounty payment.” As a result, developers have temporarily paused all activity on the protocol and claim that all funds on the platform are not at risk of a further exploit. Founded in 2020, Team Finance and its parent firm, TrustSwap, provide token liquidity locking and vesting services for project executives. The protocol claims to have $3 billion secured across 12 blockchains.