Zabu Finance, a DeFi application on the Avalanche blockchain, has reportedly been exploited for crypto tokens worth $3.2 million. The removal of a large number of tokens eventually reduced the value of Zabu tokens to zero.
Zabu Finance announced the exploit by asking for help from Avalanche and popular Avalanche-hosted decentralized exchanges such as Pangolin and Trader Joe:
“Zabu Team Wallet has not sold a single Zabu. We're under an exploit, possibly from Spore Pool. We're investigating the exploit. Need help Pangolin, Trader Joe, Avalanche.”
Based on further investigation, Zabu found the attacker stole the assets from a pool of Spore tokens which, according to the blockchain explorer, included 402.9 Wrapped Ether (WETH), 23,157 Wrapped AVAX (WAVAX), 21,501 Pangolen (PNG), 106,848 Avaware (AVE), 361,267 Tether (USDT) and 23,958.93 JOE (JOE), all amounting to $3.2 million at the time of exploit.
Zabu confirmed that the attacker was able to interact with the blockchain contracts and “successfully pulled out 4.5 billion Zabu tokens from Zabu Farm Contract, dumped all to Pangolin LPs and Trader Joe LPs of Zabu, stole around $600K.” Soon after the exploit, Zabu and an Avalanche-hosted DeFi tool, Yield Yak, advised investors to withdraw their holdings or risk losing their assets to the attacker.
As a part of remediation, Zabu intends to return tokens to investors based on their balances before and after the hack:
“The process of Snapshot might take time as we need to calculate balances of Zabu Holders, Farm Stakers (for Zabu-related Pools) and AutoFarm Stakers (for Zabu-related Pools). We might need help Markr, DeBank and Avalanche.”
Zabu has also burned the remaining 93.12 million Zabu tokens, which was worth $360,000.
Avalanche and Zabu have not yet responded to Cointelegraph’s request for comment.
On August 30, yet another DeFi project xToken reported a cyberattack, resulting in a loss of nearly $4.5 million. According to Cointelegraph’s report, the hacker went through an elaborate process of token swaps which involved taking a flash loan from the dYdX decentralized exchange for 25,000 ETH (roughly $81 million) to carry out the attack.
In the aftermath, xToken pulled the plug on xSNX product citing “significant surface area for vulnerabilities.”