The exploit took place on the Market XYZ lending market, which was the only platform compromised, according to QuickSwap. The attack had initially been linked to Qi DAO — which issues the miMatic stablecoin — by PeckShield. The security and analytics firm later attributed the attack to an exploit on QuickSwap.
The DEX later confirmed that $220,000 had been exploited using flash loans, and QuickSwap lend is now set to close. An update had been promised in the early hours of Monday, but users were left waiting around 12 hours for any clarity on the issue.
“We are encouraging users with funds deposited in Market xyz’s open markets on QuickSwap to withdraw them now, as we are in the process of closing them down,” QuickSwap wrote on Twitter.
“It is a price manipulation issue. The miMATIC market uses CurvePoolOracle for price feed, which is manipulated to Borrow funds from the market,” PeckShield wrote on Twitter.
It appears the exploit used price manipulation to borrow funds at an inflated price, based on PeckShield’s analysis. The exploiter has since bridged the funds back to Ethereum, before depositing them on Tornado Cash — the mixing service that was subject to U.S. Treasury sanctions in August.
No user funds were compromised according to QuickSwap, who did not immediately respond to a request for comment from The Block.