QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$500 000 USD
JUNE 2021
GLOBAL
VISOR FINANCE
DESCRIPTION OF EVENTS
"Visor allows DeFi participants to utilize NFT Smart Vaults for liquidity provisioning and active liquidity management on Uniswap v3." "Visor's community is thousands strong and is distributed across a variety of channels."
"As @uniswap v3 makes liquidity provision more complicated for the common man, @VisorFinance allows you to compete with professional liquidity providers by pooling peoples liquidity together and dynamically concentrating it around price to maximize returns for you."
"Multi-signature accounts are not used for all management functions of Hypervisor."
"On-chain option protocol Charm core developers discovered through the Ethereum blockchain browser that the Uniswap V3 DeFi liquidity protocol Visor Finance smart contract was urgently withdrawn 230 ETH, and then the funds were transferred to the Ethereum privacy trading platform Tornado.cash. According to CoinGecko data, Visor Finance's token VISR has fallen by more than 60% today."
"On Saturday, June 19th we discovered that an attacker had obtained access to an account that managed some of the Hypervisor admin functions." "Our hypervisors contained an emergency withdrawal function, to be deactivated pending audit completion. The attacker obtained access to this account and was able to withdraw $500k. We have since transferred the emergency safe guard to a multi-sig." "The attacker was able to withdraw funds from deposits that were not yet placed into the LP positions. The withdraw amounted to $500k from a TVL of ~$3M. The attacker was not a member of the team and appears to have lacked full understanding of our emergency withdrawal safeguard. Stolen funds were thus limited to un-positioned assets and thus the $500k number was not arbitrary."
"We used treasury funds to cover and restore all user's positions." "[O]ur mistake was not using a multisig account for all admin functions of the Hypervisor. This has since been corrected." "Right now all admin functions of all Hypervisors have been assigned to a multisig and as soon as audits are completed the emergency withdraw function will be removed entirely."
"CertiK completed the Security Assessment of the Visor Hypervisor Active liquidity management contract" on July 9th. "This report has been prepared for Visor Finance to ensure no issues or vulnerabilities are in the source code of the Hypervisor contract as well as any contract dependencies that were not part of an officially recognized library. A comprehensive examination has been performed, utilizing Static Analysis and Manual Review techniques."
The visor finance project had an emergency withdrawal function which was usable from a single private key. An attacker was able to breach that key, and took the funds to tornado cash.
While they claim it was not a team member, they don't report any necessary knowledge about the attacker to be certain of that. All funds were restored from the treasury for affected users.
HOW COULD THIS HAVE BEEN PREVENTED?
This highlights the importance of multi-signature, which can prevent events like this in the case of one team member having poor security or going rogue. In a multi-signature setup, all members of the team must be involved or breached to release funds.
SlowMist Hacked - SlowMist Zone (May 18)
Visor Finance - Active Liquidity Management on Uniswap v3 (Jul 14)
@VisorFinance Twitter (Jul 15)
@leveragednoobs Twitter (Jul 15)
Hypervisor Audit Report (Jul 15)
hypervisor/REP-Hypervisor-2021-07-07.pdf at master · VisorFinance/hypervisor · GitHub (Jul 15)
@VisorFinance Twitter (Jul 15)
Visor Beta — Incident Report. On Saturday, June 19th we discovered… | by Visor Finance | Medium (Jul 15)
@VisorFinance Twitter (Jul 15)
@bantg Twitter (Jul 15)
@VisorFinance Twitter (Jul 15)
blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 11)
Visor Beta Incident Report (Aug 11)
