Avaterra Finance Minting Vulnerability

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Avaterra Finance

AvaTerra launched a new smart contract hot wallet without any form of audit. Unfortunately the contract lasted about 4 hours from their announcement with $391k in liquidity before their mistake was discovered. RugDoc categorized the project as "Some Risk" and later revised to "High Risk" (even though the smart contract itself had not changed). The AvaTerra team appears to have compensated back 50% of what affected users lost, and successfully relaunched the contract with an audit performed.

This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22][23][24]

About Avaterra Finance

"AVATERRA Finance is the next generation of decentralised finance (DeFi) and yield farm application on Avalanche blockchain. Built upon proven features and logic that have been battle tested on Avalanche, our initial strategy for securing yield is to use these proven features to generate solid yield and passive income for token holders."

"Goose fork with 11,000 token max supply. Max 4% deposit fees. Masterchef behind a 6 hr timelock. Masterchef uses block timestamps for reward calculation. Correctly accounts for transfer taxes on any token pool. An extra 10% of emission rewards are minted to the dev address. 8 tokens supplied in AVATerra-USDC LP, 0.000223159 LP tokens has been locked with RugDoc (~64%). 0.05 tokens supplied in AVATerra-WAVAX LP, 0.1414199 LP tokens has been locked with RugDoc (~43%)."

"Their chef contract is a Goose fork, but their token contained custom elements which includes a mint function that anyone could call." "Ultimately, what this all appears like is it was a code issue where a call to excess minting was made."

"Avalanche eco-protocol Avaterra Finance was hacked with a serious vulnerability in the minting contract." "[S]omeone called it and minted and dumped thousands of tokens." "The hacker called the mint() function from a custom element of the contract to mint unlimited tokens from the Goose forked project and later dumped thousands of tokens."

"AVATerra contract has been exploited, masterchef is safe, funds are safe please withdraw."

"The token was NOT a straight fork and was custom. Token code had a large bug in the code that allowed ANYONE to call mint function and mint tokens. Someone called it…and minted tokens. This crashed the price. They will need to redeploy."

"Avaterra finance published an apology through their telegram channel claiming they never stole any money, and they lost all of their initials as well."

"On behalf of the entire team, I want to sincerely apologize for yesterda's exploit that crashed our project. Someone literally took advantage of a bug on the contract and that affected minting. This error does not affect deposited funds. All funds are safe. Kindly withdraw."

"Firstly, I want to apologise on behalf of myself and the team about what happened yesterday, it was an unfortunate incident due to a bug in the code, we sincerely apologise and we want to at least make some remedy, that could reduce this impact and give us a new comeback, we never steal any money, we lost all our initials as well, but the community took the biggest lost, and most of all is the lost in trust due to our error, which we acknowledged and we want to fix no matter how little it may sound. We won't do KYC if we want to steal funds, non of us want to go to jail."

"Our contract went through several quality control checks before it was deployed. However, this one regrettably slipped past those checks and failed to live up to our standards."

"Avaterra also announced few guidelines through the same channel for the future to possibly reduce the loss suffered by the entire community. We will increase our marketing efforts and make the greatest judgments for the community possible. The $SMRT tokens will be distributed to the lucky 20 winners today. The winners of our $1000 prize will be announced on our new website; we have your contact information. We ask for your help in getting back to work and starting all of these, as well as some patience while we do these repairs; together, we can make things better."

"To make up for this error, we are currently working out some form of compensation to the holders and considering redeployment with audit." "We will redeploy a new contract and before anything pay for pay for audit to Paladin immediately from the balance. We will NEVER relaunch until we have a clean sheet from paladin audit for safety." "We will add more money and KYC with again but this time with rugdoc before we launch so that you know we are not here to run away with funds." "We will reduce deposit fees to 3%." "To all members that applied to #platetectonics to hold their LP for other chains, your whitelist still stands and qualify to our launch in other chain, but as a compensation fir avax, we will airdrop $200 worth of the new tokens each to the first 20 community members that signed up for the #platetectonics. Our distribution plan is to airdrop 2 people every our after farm launch to avoid unnecessary dump from airdrop, but you will receive $200 worth of the new token. This may not sound well with everyone unfortunately, but this is the few we could possibly pull to reduce this pain on the community."

"Please, if you held $Terra tokens before the exploit, kindly fill this form. Only for those that had the tokens when the price was over $260/token. Do not trade the token anymore." "We have now compiled the list of affected members, and shared the spreadsheet with community in the telegram chat." "Compensation now completed for those on the compensation list. We thank you for your patience."

"The final audit results on our new Smart contracts just came back. #AVATerra is now fully audited by @0xPaladinSec... New Token launch October 30th." "@0xPaladinSec has completed the audit on our new #Avaterra Finance contract. Their auditors checked our code line by line and worked with us to resolve all issues."

"We are truly sorry but we look forward to providing a better experience after resolution. Thanks again for your understanding, and please don't hesitate to contact us directly with any other concerns you may have via the Telegram group. Your feedback is essential to that process."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Avaterra Finance Minting Vulnerability
Date Event Description
October 20th, 2021 Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

The total amount lost has been estimated at $391,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

General Prevention Policies

There are a number of ways to prevent and mitigate this situation. We advocate at least 2 reviews/audits would be required prior to a project launch. It is far more secure to have the majority of funds in a multi-signature wallet where keys are stored offline by multiple operators. This would limit the potential loss to only those funds being actively within the hot wallet. We also propose a comprehensive industry insurance fund which could be available to assist.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. https://blog.insurace.io/security-incidents-in-october-cfed829449d0 (Dec 16, 2021)
  2. AVATerra Finance (Dec 29, 2021)
  3. Welcome to AVATerra - Terra Finance (Dec 29, 2021)
  4. AVATerra Finance – Paladin Blockchain Security (Dec 29, 2021)
  5. https://coinmarketcap.com/currencies/avaterra/ (Dec 29, 2021)
  6. AVATerra Finance - RugDoc (Dec 29, 2021)
  7. AVATerra Finance - RugDoc (Dec 29, 2021)
  8. AvaTerra.finance( AvaTerra ) info, AvaTerra.finance( AvaTerra ) chart, market cap, and price | TheBitTimes.Com (Dec 29, 2021)
  9. Avaterra Finance Hacked, Exposing Severe Flaws | CoinCodeCap (Dec 29, 2021)
  10. Telegram: Contact @avaterra (Dec 29, 2021)
  11. Telegram: Contact @avaterra (Dec 29, 2021)
  12. Telegram: Contact @avaterra (Dec 29, 2021)
  13. @avaterrafinance Twitter (Dec 29, 2021)
  14. @avaterrafinance Twitter (Dec 29, 2021)
  15. @avaterrafinance Twitter (Dec 29, 2021)
  16. @RugDocIO Twitter (Dec 29, 2021)
  17. @avaterrafinance Twitter (Dec 29, 2021)
  18. @avaterrafinance Twitter (Dec 29, 2021)
  19. @avaterrafinance Twitter (Dec 29, 2021)
  20. @avaterrafinance Twitter (Dec 29, 2021)
  21. @avaterrafinance Twitter (Dec 29, 2021)
  22. @avaterrafinance Twitter (Dec 29, 2021)
  23. AVATerra Faced Exploitation on the Day Of its Launch - The Crypto Times (Dec 29, 2021)
  24. No Title (Jan 10, 2022)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Avaterra_Finance_Minting_Vulnerability&oldid=4272"