QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$660 000 USD
JANUARY 2023
GLOBAL
MIDAS CAPITAL
DESCRIPTION OF EVENTS
"CAPITAL EFFICIENT ISOLATED LENDING AND BORROWING POOLS. Create your own custom money markets and maximize capital efficiency for any group of assets."
"There are 3 parts to "Midas Capital," and it is important to recognize the differences between each party involved. The Midas Capital Protocol [is a] DeFi protocol that is built using Smart Contracts and run autonomously on EVM compatible blockchains in order to put crypto assets to use. The Midas Capital UI [is a] web app that provides easy to use tooling in order to interact with the decentralized protocol. This interface is one of the many ways of interacting with the Smart Contracts. The core Midas team that will lead the protocol to full decentralization."
"Midas Capital is an open interest rate protocol that allows users to lend and borrow digital assets. The Midas protocol enables anyone to instantly create and deploy their own lending and borrowing pool. The protocol allows users (individuals, protocols, DAOs, institutions) to choose all of their custom parameters and isolate risk, rather than using a large lending and borrowing pool on other platforms. Pools can be made public or private depending on the creator's preference."
"As Uniswap is to permissionless trading markets, Midas pool has permissionless lending and borrowing. If there is an asset that has on-chain liquidity, it can be supported within Midas pools via a pre-built or custom oracle."
"The nature of Midas Protocol completely removes the need to lobby to money market protocols such as Compound Finance or Aave. Generally, newer tokens to the ecosystem have a very low chance of being listed on these large money markets given their possible risk to the rest of the pool. Midas Protocol allows for isolated versions of Compound Finance which provides users' with full range of composability with their digital assets and the financial freedom not seen in the traditional banking industry."
"Midas recently added WMATIC-stMATIC Curve LP token for use as collateral. These tokens have a read-only reentrancy vulnerability which allows the token's virtual price to be manipulated when improperly implemented."
"Both organisations announced the cause of the attack as the use of WMATIC-stMATIC Curve LP token. The read-only reentrancy vulnerability is a known weakness of this type of LP token, and had previously led to a $220k loss on market.xyz in October."
"[T]he calculation of a position's collateral depends on self.D and totalSupply
self.D is updated after an unexcepted callback, so the four borrows use an outdated self.D.
the contract burns stMATIC-f before the unexcepted callback, which causes the four borrows to use an updated stMATIC-f.totalSupply()."
"As a result, @MidasCapitalxyz over-estimated the attack contract's position and lent excessive assets to the contract."
"The attacker was able to borrow the following assets against the inflated collateral: jCHF: 273,973, jEUR: 368,058, jGBP: 45,250, agEUR: 45,435, Which were then swapped to ~660k MATIC ($660k) and sent on to Kucoin and Binance."
"Jarvis Network will cover the (~$350k) shortfall in backing of jFIATs that resulted from the exploit, and Midas Capital have reached out to the hacker in an attempt to negotiate a bounty."
"We have decided to do not wait after Midas, and we are working on a plan to re-collateralize the jFIATs the protocol lost, and reimburse the users who were victim of the exploit. We will propose to the Jarvis governance to allocate part of the protocol’s revenus (liquidity provision, lending interests, protocol fee and farming with POL) and part of the protocol treasury to it, and we will ask for the help and support of our community, partners, investors, and “frens”. I have already discussed with many of them and they have expressed their will to support us in this difficult moment, either with or without counterparty. Also, the company which is the main liquidity provider within the protocol, will help, with both its treasury and revenues (±$700k last year with swap fees, interests and market making)."
Midas Capital is a DeFi protocol that allows users to lend and borrow digital assets, enabling anyone to create and deploy their own lending and borrowing pool. The protocol allows users to choose all of their custom parameters and isolate risk. Pools can be made public or private, depending on the creator's preference, and any asset with on-chain liquidity can be supported within Midas pools. Midas recently added WMATIC-stMATIC Curve LP token for use as collateral, but it has a read-only reentrancy vulnerability that allows the token's virtual price to be manipulated when improperly implemented. This vulnerability led to a recent exploit in which the attacker borrowed several assets against inflated collateral and swapped them for approximately $660k worth of MATIC, which was sent to Kucoin and Binance. Jarvis Network will cover the shortfall in backing of jFIATs resulting from the exploit, and Midas Capital is attempting to negotiate a bounty with the hacker. They are also working on a plan to re-collateralize the jFIATs the protocol lost and reimburse affected users, with the support of their community, partners, investors, and liquidity provider.
Welcome to Midas Capital - Midas Docs (May 4)
Midas pools - Midas Docs (May 4)
Rekt - Midas Capital - REKT (May 4)
Curve LP Oracle Manipulation: Post Mortem - Chainsecurity (May 3)
Polygon Transaction Hash (Txhash) Details | PolygonScan
(May 4)
@BlockSecTeam Twitter (May 4)
@BeosinAlert Twitter (May 4)
