$310 000 USD





"DeFi Saver is a one-stop dashboard for creating, managing and tracking your DeFi positions." "Automation can manage your leverage and protect your position from liquidation based on your input, non-custodially and trustlessly."


"The decentralized wallet imToken tweeted that users reported that 310,000 DAI had been reduced, which conflicted with DeFi Saver Exchange. imToken recommends that the automated management system of collateralized bond warehouses (CDP) imi stated that its security team is investigating the incident and trying to troubleshoot all user wallets that hit and issue warnings."


"The complete attack process: (1) The attacker calls the swapTokenToToken function to pass in _exchangeAddress as the DAI contract address, selects _exchangeType as 4, and puts the attack payload in _callData to pass in. (2) At this time, the logic of _exchangeType == 4 will be followed, which will call the takeOrder function and pass in _callData. (3) The takeOrder function will make a specific call to the incoming _callData, so if the user who holds DAI has authorized the SaverExchange contract in the DAI contract , he can use the incoming _callData to call the transferFrom function of the DAI contract to transfer the user’s DAI Export directly, and it can be constructed in _callData. (4) Through the constructed _callData and the previous user authorized the SaverExchange contract with DAI, the SaverExchange contract can directly transfer the DAI in the user account to the address specified by the attacker by calling the transferFrom function of the DAI contract."


"DeFiSaver responded that this part of the funds is safe and is contacting users. DeFiSaver admitted that this was related to the foreign exchange benefits reported in June."

There was a vulnerability in the DefiSaver smart contract. Some funds were under risk, however they were captured and returned through a whitehat hack.


Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.