QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$3 200 000 USD
SEPTEMBER 2021
GLOBAL
ZABU FINANCE
DESCRIPTION OF EVENTS
"A Full-Stack DeFi Station on Avalanche" "Zabu Finance is a next-gen Decentralized Finance (DeFi) project on Avalanche. Zabu Finance helps you maximize your yield through a full-fledged ecosystem with yield-aggregation, yield farming, staking, fundraising and focuses on bringing DeFi to everyone in a fun and an easy to understand way!"
"Zabu Farms allow users to earn ZUBAX by staking your Pangolin Liquidity Provider (Pangolin LP) and Trader Joe Liquidity Provider (JOE LP) tokens. Many popular token pairs are available in the platform to choose from, such as ZUBAX-AVAX or ZUBAX-USDT.e. By staking LP tokens, you're supporting the Pangolin exchange and Trader Joe exchange by providing liquidity."
"Everything was from a Pool of $SPORE Token." "Spore has Transfer Tax" similar to YELD or GarudaSwap.
"[O]n September 12, 2021, the Zabu Finance project on Avalanche suffered [a] flashloan attack." "We've been exploited today." "Spore has Transfer Tax so that the attacker used the same mechanism with attacks explained on YELD and GarudaSwap." "The attacker first created two attack contracts, then swapped WAVAX into SPORE tokens through attack contract 1 in Pangolin, and deposited the obtained SPORE tokens to ZABUFarm contract, to prepare for the subsequent acquisition of ZABU token rewards."
"Zabu Team Wallet has not sold a single Zabu. We're under an exploit, possibly from Spore Pool. We're investigating the exploit." "The attack was caused by the incompatibility between Zabu Finance’s staking model and SPORE tokens. There have been many attacks caused by such issues."
"Attacker deployed and interacted with that contract to successfully pulled out 4.5 billion ZABU tokens in Zabu Farm Contract, dumped all to Pangolin LPs and Trader Joe LPs of ZABU, stole around $600k" "The attacker first created two attack contracts, then swapped WAVAX into SPORE tokens through attack contract 1 in Pangolin, and deposited the obtained SPORE tokens to ZABUFarm contract, to prepare for the subsequent acquisition of ZABU token rewards."
"The attacker borrowed SPORE tokens from Pangolin flashloan by attack contract 2, and then began to use SPORE tokens to conduct `deposit/withdraw` operations in the ZABUFarm contract. Since SPORE tokens need to charge a certain fee during the transfer process (in the SPORE contract), the amount of SPORE tokens actually received by the ZABUFarm contract is less than the amount of staking passed in by the attacker. However, we noticed that the ZABUFarm contract directly recorded the number of staking that user received, instead of recording the actual number of tokens received by the contract, but the ZABUFarm contract allowed the user to withdraw all the staking recorded by the contract when the user took out the staking quantity. This results in the fact that the amount of SPORE tokens actually received by the attacker in the ZABUFarm contract when staking is less than the amount of tokens transferred out of the ZABUFarm contract to the attacker when the attacker withdraws."
"The attacker took advantage of the accounting defect caused by the compatibility between the ZABUFarm contract and the SPORE token, and continuously consumed the SPORE funds in the ZABUFarm contract to a very low value through the `deposit/withdraw` operation. The staking reward of the ZABUFarm contract is calculated by dividing the accumulated block rewards into the total amount of SPORE tokens staking in the contract. Therefore, when the total amount of SPORE tokens in the ZABUFarm contract is reduced to a very low value, it will undoubtedly be calculated a great reward value."
"The thief succeeded in stealing billions of ZABU tokens and dumping them on Pangolin and Trader Joe LP’s." "The attacker obtained a large amount of ZABU token rewards through the previously secured attack contract 1 in ZABUFarm, and then sold ZABU tokens."
"Zabu farmers are recommended to remove their deposits." "@yieldyak_ helped by warning Zabu Farmers to withdraw from their Vaults. We also calmed down people by showing them the team was also victim and burned all team tokens."
"We immediately realized the problem, and first priority is to protect people's funds, single assets staked are safu, ZABU related pools were affected. First was to guide people withdraw funds if they want to protect their stack"
"Then we realized all ZABU rewards in Zabu Farm was exploited. So we set rewardPerBlock to 0 to allow people to withdraw from UI (they could not do it before because there is not rewards to harvest/unstake)"
"We've not sold a single ZABU from Dev Wallet and Treasury Wallet. As all supply is reached in a bad way, we are burning all ZABU in Dev Wallet and Treasury Wallet. Let's come back from hell!"
"We're planning to take the Snapshot and move forward from this hack. The plan is to take snapshot at the time just before the exploit (pre-hack)." "However, there are some people who lost money and bought back in. So we're looking for a solution that protect people (pre-hack) but also support people who aped in post-hack."
"1. Snapshot pre-hack and distribute Zabu V2. 2. Restart V2 Farm with a Zabu V1 Staking Pool." "In that way, people who lost money pre-hack will get distributed the tokens, and continue to support the protocol if they want." "For the late buyer (post-hack), they can also participate in the Farm V2 by staking what they've bought in a Zabu V1 Staking Pool."
"The process of Snapshot might take time as we need to calculate balances of Zabu Holders, Farm Stakers (for Zabu-related Pools) and AutoFarm Stakers (for Zabu-related Pools). We might need help from @iomarkr @DeBankDeFi and @avalancheavax for that work. Then Farm V2 will be open."
"The SlowMist security team recommends that the project staking model should record the actual token changes in the contract before and after the transfer when the project staking model is connected to the deflationary token, instead of relying on the number of staking tokens passed in by the user."
"We received almost no assistance from our partners on the ecosystem, and we felt defeated. We were devastated." "We want to thank our amazing community for sticking by our developers as we have been working non-stop to rebuild from the ashes."
"The past 50 days has been very difficult for our community and extremely trying for the Zabu Finance team." "Through the exploit, we learned a hard lesson. And now, we believe we can make something even better. With our new token (ZUBAX) we plan on becoming stronger than ever before." "In just 50 days, we have been able to come back from the exploit and build the 1st decentralized launchpad on Avalanche."
"We are also actively working on new partnerships and promotions and want our investors to know that we are doing everything we can to help pay back those individuals who were affected by September’s exploit." "As ZUBAX and Zabu Finance continue to grow, we will be able to compensate those holders through our NFT buy-back program. We are actively working on rolling this out. We care about our community, and we want to move Zabu Finance forward with better communication and transparency. We have great things coming in our future, and we would love to have you come along for the ride."
Zabu Finance created a large liquidity pool for the Avalanche blockchain. As is typical in exploited cases, funds were stored in a large smart contract hot wallet. In this case, there was an exploit around deflationary token handling. The team used a snapshot to re-issue tokens in an attempt to compensate affected users. The recovery has been slow to materialize, however the team appears to be still working at it.
HOW COULD THIS HAVE BEEN PREVENTED?
Hot wallets should either not store customer funds, or be insured fully through smart contract insurance or our proposed industry insurance fund.
blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 11)
Zabu - Full-Stack DeFi Station on Avalanche (Oct 20)
Introduction - Zabu Finance - Docs (Nov 7)
@zabufinance Twitter (Nov 7)
0x9ed2D048e90CfFa5e4A778678CBc3acb8A3Abf86 - Avalanche Explorer (Nov 7)
Contract 0x5c9AD7b877F06e751Ee006A3F27546757BBE53Dd - Avalanche Explorer (Nov 7)
Brief Analysis Of Zabu Finance Being Hacked (Nov 7)
@zabufinance Twitter (Nov 7)
@yieldyak_ Twitter (Nov 7)
@zabufinance Twitter (Nov 7)
