$1 274 000 USD

MARCH 2021




"Your easy and efficient access point to the best of DeFi. 15 customizable earning strategies, reward calculators, and all market data in one spot let you benefit from the future of finance today."


"Nimbus has an ambitious plan to open some of the most rewarding DeFi functionalities to everyone. All of it within just one ecosystem and with increased efficiency due to decentralization."


"Our approach takes the best tools from traditional finance and combines them with the best practices of DeFi. The recipe targets the key shortcomings of both traditional finance and DeFi in a comprehensive manner."


"Earning with Nimbus is easy. Simply pick a strategy that suits you, calculate your estimated rewards with Nimbus calculators, and follow step-by-step guides to insert your assets and start receiving rewards."


"At the testing stage of the Nimbus smart contracts, no vulnerabilities have been identified. Moreover, the external technical audit also hasn’t identified any errors and confirmed that the Nimbus Platform is fully functional and safe."


"[T]he ETH/NBU pair’s liquidity on Uniswap has grown drastically throughout the past few days. With it, the NBU token has reached the next stage of its development and became extremely attractive for all market participants — including the malicious ones."


"The current situation is a result of an attack made by well-designed semi-automatic arbitrage smart contracts that have also been targeting tens of other promising crypto and DeFi projects. It took place at 3:15:17 am UTC, March 1."


An attacker "made the initiating transaction, inserting 1.994E-15 NBU to the ETH-NBU swap pair on Nimbus Swap."


"After that, there was a liquidity withdrawal from the ETH-NBU pair on Nimbus Swap in the amount of 516.9 ETH and 597712.9 NBU. Notably, this happened without the participation of the Nimbus LP tokens. Such tokens are issued to all Nimbus Liquidity Providers when they provide Liquidity at Nimbus Platform and are required for Liquidity withdrawal. But in this case, the liquidity has been withdrawn without the use of such tokens — and this is where the anomalies begin."


"Then, this process was repeated several times by other addresses."


"As a result, not only the NBU token value and the liquidity volume got affected by sweeping arbitrage activities — but also, 90% of liquidity from NBU pairs of the Nimbus internal Swap machine were withdrawn in several transactions."


"In order to calculate balance0Adjusted and balance1Adjusted in lines 405 and 406 of the Factory.sol contract, 10,000 bits must have been used — and this was done correctly. However, in order for the smart contract to be able to check if the new volumes correspond to the basic smart contract algorithm, the same 10,000 bits also must have been used in line 407. But as a result of an error, “1,000” bits were used there instead of “10,000”."


"As a result, this single missing digit allowed the malicious smart contracts to match its arbitrage attack with the further withdrawal of liquidity."


"[F]rom now on, we shall activate our warning system for Liquidity Providers that shall notify them when there are signs of similar arbitrage activities or any sort of attacks. It will help LPs to react timely and withdraw the liquidity in a synchronized fashion to deactivate the malicious party’s activity. It will also make sure their assets are safe."


"[W]hat our analytics have been struggling to understand is how could that smart contract achieve such results and deplete almost all liquidity in a matter of several minutes?" "Our analysis showed that even after the audit of the Nimbus smart contracts by Zokyo, there was a single zero missing. And as insignificant as it may seem, it has caused this situation to escalate a lot."


"First of all, the Nimbus team will reimburse liquidity to respective Liquidity Providers in full. You can be sure that we shall not let any malicious third-parties damage your well-being!"


"Second, the identified vulnerability has already been fixed. The new version of the smart contracts is published on our GitHub — hence the need for Nimbus Platform maintenance between 7 and 8 AM CET on March 4."


"Now that this maintenance is over, Liquidity Provider’s warning was removed. You can add your Liquidity to the Platform again and be at ease knowing that everything functions as it should."


"We are thrilled to announce that the Nimbus Bug Bounty program is about to kick-off! Those of you who find bugs in the Nimbus code before July 1 can receive Rewards from a Total Fund of 50,000 NBU!" "[W]e want to show our appreciation towards our bug hunters. So, we offer up to 50,000 NBU in rewards to up to 20 participants who succeed in this program."

The Nimbus Platform is a set of several different blockchain-based strategies for DeFi participants. In order to use these tools, the Nimbus token is required, which could be purchased through their smart contract, which placed all funds in a hot wallet liquidity pool. Unfortunately, the liquidity pool had a small typo (missing zero) which allowed an attacker to drain the pool and steal the funds. After determining the cause of the drainage, the platform agreed to reimburse liquidity providers. No subsequent details could be located on the nature of the reimbursement.


There are a number of ways to prevent and mitigate this situation. It is far more secure to have the majority of funds in a multi-signature wallet where keys are stored offline by multiple operators. This would limit the potential loss to only those funds being actively within the hot wallet. Audits can be used to reduce the risks on the hot wallets further, and we advocate at least 2 reviews would be required prior to a project launch. We also propose a comprehensive industry insurance fund which could be available to assist.


Check Our Framework For Safe Secure Exchange Platforms

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.