$637 000 USD

MAY 2021




"Wild.credit is an upcoming lending protocol with isolated lending pairs." "Wild is a permissionless lending protocol featuring isolated lending pairs. Lenders supply assets into any of the lending pairs to earn interest. Borrowers pay interest to borrow while collateralizing their loans. The protocol earns an interest rate spread."


"Using isolated lending pairs, lenders can decide which pairs they are comfortable with and provide liquidity only to those. Just like on Uniswap, users of Wild Credit are also free to create lending pairs for any asset permissionlessly."


"The DeFi protocol Wild Credit on Ethereum suffered a white hat attack."


"A potential irregularity on the BNT-ETH pair" "We've discovered a potential irregularity on the BNT-ETH pair. All deposits have been disabled while the investigation is in progress. As a precaution, please withdraw your funds."


"[A]nyone can call the `initialize` function to become the owner of the LP token contract. The owner can freely mint and burn LP tokens. The hacker took ownership of the contract, minted a bunch of tokens to themselves, and then used those fake tokens to withdraw real funds."


"Preliminary results show that BNT-ETH was the only exploited pool. Total amount is 125,585 BNT (~ $637k)."


"The "attacker" who returned the funds was actually an operator of a generalized front-running bot. The real attacker attempted to execute their exploit here and was front-run." "[T]he attacker has returned a total of $650,000."


"We've finished reconstructing the deposit balances. Please review it to see if your deposit amount looks correct. To make sure we haven't missed anyone, we'll wait 24 hours before sending the balances."


"All funds have been returned now. Please check your wallet. If you made a deposit with ETH, you should have WETH balance now instead. WETH is a token representation of ETH which can be unwrapped 1:1 back to ETH on Uniswap."


"NEW BUG BOUNTY: @WildCredit is live now with their Immunefi Bug Bounty program! Wild Credit: decentralized lending protocol with isolated lending pairs. Go wild on your bug bounty hunting and earn $20,000:"


"$10k has been awarded to @Mudit__Gupta for finding a bug in the RewardDistribution contract involving snapshotAccount function which would lead to the loss of all stored rewards. The bounty remains open for all other qualified bugs."

An exploit in the smart contract allowed anyone to take over the contract.


A malicious actor attempted to exploit, however another front-running bot saw the transaction and ran it with a higher fee to bypass them. The front-runner returned the funds to the contract developers, where they were distributed back to affected users.


While there are lots of additional precautions that smart contracts can take including security audits, bug bounties, and careful design practices, it is impossible to prove that a complex smart contract is secure. The safest storage of funds is an offline multi-signature wallet held by known people.


Check Our Framework For Safe Secure Exchange Platforms

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.