$12 000 000 USD





"AFKsystem.Finance is a Decentralized Yield Farming Ecosystem created by Yield Farmers, for Yield Farmers. Our $SILVER token ensures that AFKsystem.Finance is owned by its users. $SILVER will only be rewarded to users who benefit the protocol, thus there will be no single asset farming pools, only single asset Missions (AAVE Vaults)." "[T]the address used in the [contract] was filled using tornado[cash]" on July 8th.


"AFKsystem.Finance launching in less than 24 hours, Polygon newest DeFi Yield Vaults! Partnered with Dfyn exchange, join us at our launch on 19th Aug UTC 2PM! Fairly Launched!"


"Our official auditing partner, @0xPaladinSec, has funnily always pointed out these governance privileges to change the router as either high severity or medium severity." "AFK Systems cancelled their Paladin audit in favor of another auditor."


"On the 21st of August, AFK contacted Obelisk for an audit of their smart contracts. The actual audit started at the beginning of September."


"During the audit, we found multiple instances of severe issues that could be used maliciously. As part of our auditing process, these first draft notes were sent to AFK with proposed solutions to solve these issues." "Afksystem.finance just rugged all their vaults for a total of about $12m in profit." "On the 11th of September AFK rugged in the middle of the ongoing audit. It’s important to note that there are great risks associated with un-audited projects, and an ongoing audit doesn’t imply that the project is safe to use."


"All though afksystem had seriously trimmed down their governance privileges. They had kept one important privilege... Changing the router through which the harvested tokens are sold." "This router can then be changed for literally anything... A wallet, a malicious contract, an NFT of a rock, you name it! Going to our beloved @bscscan, they opted for a malicious contract."


"The owner of most vaults starts changing the governance address of the vaults to an exploit contract"." "Using the contract, they were able to execute multiple steps in one transaction." "The contract calls panic on vaults, withdrawing tokens from underlying farming contracts." "It change the swap router to a malicious address." "It call resetAllowances() so the new router could drain the vaults." "It then transfer the funds." "[The receiving address] proceeds to sell off tokens." "The rug also used dai to bridge funds to the ETH chain. ~ 2,8 M Dai are transferred from AfkOwner to the final address."


"What do we all have to do before interacting with uniswap? Give token approval." "The afksystem vaults gave infinite approval over the staking token to this untrusted contract deployed by the malicious afksystem owners." "After a simple emergencyWithdraw call to move the funds into the strategy, the contract had free access to all funds through the approval and the system would go AFK indefinitely."


"[I] got scammed by AFKFI (afk.finance) on uniswap. [T]he scammer took out all of the eth and afkfi and the liquidity is 0 now. expensive lesson learned. there goes most of my uni airdrop. [S]tay safe out there guys, ima take the lose and carry on, nothing [I] can do other then learn from this."

As a completely anonymous team, AFK Systems Finance launched a new platform including a vault, with known exploits in the smart contract hot wallet. They then got a couple of smart contract auditors to audit the smart contract, presumably until they found one which wouldn't do the audit right away. When the audit results came back, they used their exploits to steal all funds from users and disappeared.


There are many ways to prevent this from having known team members and not storing customer funds in smart contract hot wallets.


Check Our Framework For Safe Secure Exchange Platforms

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.