$391 000 USD

OCTOBER 2021

GLOBAL

AVATERRA FINANCE

DESCRIPTION OF EVENTS

"AVATERRA Finance is the next generation of decentralised finance (DeFi) and yield farm application on Avalanche blockchain. Built upon proven features and logic that have been battle tested on Avalanche, our initial strategy for securing yield is to use these proven features to generate solid yield and passive income for token holders."

 

"Goose fork with 11,000 token max supply. Max 4% deposit fees. Masterchef behind a 6 hr timelock. Masterchef uses block timestamps for reward calculation. Correctly accounts for transfer taxes on any token pool. An extra 10% of emission rewards are minted to the dev address. 8 tokens supplied in AVATerra-USDC LP, 0.000223159 LP tokens has been locked with RugDoc (~64%). 0.05 tokens supplied in AVATerra-WAVAX LP, 0.1414199 LP tokens has been locked with RugDoc (~43%)."

 

"Their chef contract is a Goose fork, but their token contained custom elements which includes a mint function that anyone could call." "Ultimately, what this all appears like is it was a code issue where a call to excess minting was made."

 

"Avalanche eco-protocol Avaterra Finance was hacked with a serious vulnerability in the minting contract." "[S]omeone called it and minted and dumped thousands of tokens." "The hacker called the mint() function from a custom element of the contract to mint unlimited tokens from the Goose forked project and later dumped thousands of tokens."

 

"AVATerra contract has been exploited, masterchef is safe, funds are safe please withdraw."

 

"The token was NOT a straight fork and was custom. Token code had a large bug in the code that allowed ANYONE to call mint function and mint tokens. Someone called it…and minted tokens. This crashed the price. They will need to redeploy."

 

"Avaterra finance published an apology through their telegram channel claiming they never stole any money, and they lost all of their initials as well."

 

"On behalf of the entire team, I want to sincerely apologize for yesterda's exploit that crashed our project. Someone literally took advantage of a bug on the contract and that affected minting. This error does not affect deposited funds. All funds are safe. Kindly withdraw."

 

"Firstly, I want to apologise on behalf of myself and the team about what happened yesterday, it was an unfortunate incident due to a bug in the code, we sincerely apologise and we want to at least make some remedy, that could reduce this impact and give us a new comeback, we never steal any money, we lost all our initials as well, but the community took the biggest lost, and most of all is the lost in trust due to our error, which we acknowledged and we want to fix no matter how little it may sound. We won't do KYC if we want to steal funds, non of us want to go to jail."

 

"Our contract went through several quality control checks before it was deployed. However, this one regrettably slipped past those checks and failed to live up to our standards."

 

"Avaterra also announced few guidelines through the same channel for the future to possibly reduce the loss suffered by the entire community. We will increase our marketing efforts and make the greatest judgments for the community possible. The $SMRT tokens will be distributed to the lucky 20 winners today. The winners of our $1000 prize will be announced on our new website; we have your contact information. We ask for your help in getting back to work and starting all of these, as well as some patience while we do these repairs; together, we can make things better."

 

"To make up for this error, we are currently working out some form of compensation to the holders and considering redeployment with audit." "We will redeploy a new contract and before anything pay for pay for audit to Paladin immediately from the balance. We will NEVER relaunch until we have a clean sheet from paladin audit for safety." "We will add more money and KYC with again but this time with rugdoc before we launch so that you know we are not here to run away with funds." "We will reduce deposit fees to 3%." "To all members that applied to #platetectonics to hold their LP for other chains, your whitelist still stands and qualify to our launch in other chain, but as a compensation fir avax, we will airdrop $200 worth of the new tokens each to the first 20 community members that signed up for the #platetectonics. Our distribution plan is to airdrop 2 people every our after farm launch to avoid unnecessary dump from airdrop, but you will receive $200 worth of the new token. This may not sound well with everyone unfortunately, but this is the few we could possibly pull to reduce this pain on the community."

 

"Please, if you held $Terra tokens before the exploit, kindly fill this form. Only for those that had the tokens when the price was over $260/token. Do not trade the token anymore." "We have now compiled the list of affected members, and shared the spreadsheet with community in the telegram chat." "Compensation now completed for those on the compensation list. We thank you for your patience."

 

"The final audit results on our new Smart contracts just came back. #AVATerra is now fully audited by @0xPaladinSec... New Token launch October 30th." "@0xPaladinSec has completed the audit on our new #Avaterra Finance contract. Their auditors checked our code line by line and worked with us to resolve all issues."

 

"We are truly sorry but we look forward to providing a better experience after resolution. Thanks again for your understanding, and please don't hesitate to contact us directly with any other concerns you may have via the Telegram group. Your feedback is essential to that process."

 

Explore This Case Further On Our Wiki

AvaTerra launched a new smart contract hot wallet without any form of audit. Unfortunately the contract lasted about 4 hours from their announcement with $391k in liquidity before their mistake was discovered. RugDoc categorized the project as "Some Risk" and later revised to "High Risk" (even though the smart contract itself had not changed). The AvaTerra team appears to have compensated back 50% of what affected users lost, and successfully relaunched the contract with an audit performed.

HOW COULD THIS HAVE BEEN PREVENTED?

There are a number of ways to prevent and mitigate this situation. We advocate at least 2 reviews/audits would be required prior to a project launch. It is far more secure to have the majority of funds in a multi-signature wallet where keys are stored offline by multiple operators. This would limit the potential loss to only those funds being actively within the hot wallet. We also propose a comprehensive industry insurance fund which could be available to assist.

 

Check Our Framework For Safe Secure Exchange Platforms

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2019 - 2025 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.