$500 000 USD

JUNE 2021




"Visor allows DeFi participants to utilize NFT Smart Vaults for liquidity provisioning and active liquidity management on Uniswap v3." "Visor's community is thousands strong and is distributed across a variety of channels."


"As @uniswap v3 makes liquidity provision more complicated for the common man, @VisorFinance allows you to compete with professional liquidity providers by pooling peoples liquidity together and dynamically concentrating it around price to maximize returns for you."


"Multi-signature accounts are not used for all management functions of Hypervisor."


"On-chain option protocol Charm core developers discovered through the Ethereum blockchain browser that the Uniswap V3 DeFi liquidity protocol Visor Finance smart contract was urgently withdrawn 230 ETH, and then the funds were transferred to the Ethereum privacy trading platform Tornado.cash. According to CoinGecko data, Visor Finance's token VISR has fallen by more than 60% today."


"On Saturday, June 19th we discovered that an attacker had obtained access to an account that managed some of the Hypervisor admin functions." "Our hypervisors contained an emergency withdrawal function, to be deactivated pending audit completion. The attacker obtained access to this account and was able to withdraw $500k. We have since transferred the emergency safe guard to a multi-sig." "The attacker was able to withdraw funds from deposits that were not yet placed into the LP positions. The withdraw amounted to $500k from a TVL of ~$3M. The attacker was not a member of the team and appears to have lacked full understanding of our emergency withdrawal safeguard. Stolen funds were thus limited to un-positioned assets and thus the $500k number was not arbitrary."


"We used treasury funds to cover and restore all user's positions." "[O]ur mistake was not using a multisig account for all admin functions of the Hypervisor. This has since been corrected." "Right now all admin functions of all Hypervisors have been assigned to a multisig and as soon as audits are completed the emergency withdraw function will be removed entirely."


"CertiK completed the Security Assessment of the Visor Hypervisor Active liquidity management contract" on July 9th. "This report has been prepared for Visor Finance to ensure no issues or vulnerabilities are in the source code of the Hypervisor contract as well as any contract dependencies that were not part of an officially recognized library. A comprehensive examination has been performed, utilizing Static Analysis and Manual Review techniques."

The visor finance project had an emergency withdrawal function which was usable from a single private key. An attacker was able to breach that key, and took the funds to tornado cash.


While they claim it was not a team member, they don't report any necessary knowledge about the attacker to be certain of that. All funds were restored from the treasury for affected users.


This highlights the importance of multi-signature, which can prevent events like this in the case of one team member having poor security or going rogue. In a multi-signature setup, all members of the team must be involved or breached to release funds.


Check Our Framework For Safe Secure Exchange Platforms

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.