Team Finance has suffered a malicious exploit with the attacker draining $15.8 million worth of tokens from the protocol.
Team Finance is a DeFi platform that helps other projects lock their liquidity. This is done to reduce the risk of what’s known as rug pulling — where a project’s liquidity is withdrawn, causing the value of the token to crash.
Today’s attacker targeted the liquidity tokens under Team Finance’s custody, according to PeckShield. The attack affected four projects, namely CAW (A Hunters Dream), Dejitaru Tsuka, Kondux, and Feg. CAW was the most impacted in the incident with the attacker removing $11.5 million worth of its liquidity tokens.
The DeFi liquidity locker confirmed the incident, stating that the attacker exploited its audited version 2 to version 3 migration function. PeckShield stated that the flaw in the migration function allowed the attacker to manipulate the price of liquidity tokens when transferring from v2 to v3. This price skewing allowed the attacker to earn a significant profit after the migration process was completed.
“We have temporarily paused all activity through team finance until we are certain this exploit has been remedied. All funds currently on Team Finance are not at further risk of this exploit,” Team Finance stated.
The attacker used 1.76 ether ($2,700) to launch the attack, PeckShield noted. The attacker’s wallet address still holds the proceeds from the exploit, including $6.43 million in the DAI stablecoin and 880 ETH ($1.36 million).
Team Finance also urged the exploiter to get in touch to arrange a bounty payment. Such arrangements are becoming commonplace in the DeFi space amid a spate of recent high-profile hacks and exploits.
Team Finance joins a number of DeFi protocols to suffer malicious exploits in October with the month shaping up to be a record-breaking one for crypto security incidents. Earlier in the month, Mango Markets suffered a $114 million exploit with the attacker claiming that it was simply a “highly profitable trading strategy.”