Zabu Finance to abused for $3.2 million

In what appears to be the first major hack in the Avalanche ecosystem, the decentralized finance (Defi) protocol Zabu has been exploited.

On September 12, industry publication DeFiPrime stated that Zabu Finance had been abused for $3.2 million in what could be Avalanche’s first large attack. The protocol responded with its own tweet, confirming the exploit and stating that the funds were stolen from its SPORE pool.

⚠️ @zabufinance $ZABU exploited ⚠️

Probably it is the first big exploit on #avalanche?

About $3.2M stolen:$WETH: 402.9$WAVAX: 23,157$PNG: 21,501$AVE: 106,848$USDT:361,267$JOE:23,958.93

TX https://t.co/LeztPDtMeX

— defiprime (@defiprime) September 12, 2021

“Zabu Team Wallet has not sold a single Zabu. We’re under an exploit, possibly from Spore Pool. We’re investigating the exploit. Need help,”

It went on to say that the attacker used the protocol’s “Transfer Tax” mechanism to mint tokens, causing the price to plummet. The attacker exploited a flaw in the contract that yield farms employ to distribute incentives. PeckShield, a security firm, stated that “the same bug happened many times before.”

Snapshot, launch v2, move on Zabu Finance, which describes itself as an Avalanche full-stack Defi station, explained that the attacker interacted with the contract to remove 4.5 billion ZABU tokens in order to accumulate liquidity provider tokens in other farms on the Avalanche Pangolin and Trader Joe DEXes. As the hacker fled with the loot, those were sold.

Zabu reduced the rewards to zero so that users may withdraw monies after discovering that the Zabu Farms had been hacked. The team now intends to take a snapshot prior to the hack while simultaneously looking for a remedy for individuals that bought in after the exploit. It will award ZABU v2 tokens to individuals affected and relaunch the farm as v2 with a Zabu v1 staking pool for those that hacked in.

“In that way, people who lost money pre-hack will get distributed the tokens, and continue to support the protocol if they want. For the late buyer (post-hack), they can also participate in the Farm V2 by staking what they’ve bought in a Zabu V1 Staking Pool.”

Prices for ZABU falling

Prices fell to zero as a result of the withdrawal of so many ZABU tokens (or close to it). According to CoinGecko, they were trading at roughly $0.004 on Sunday and are now almost worthless ($0.00002).

Zabu Finance is the most recent in a long line of spurious Defi protocols exploited in 2021. According to DeFiYield’s REKT database, similar hacks, scams, and rug pull have cost $1.6 billion in the last five years.

Also Read: Zimbabwe’s Finance Minister Encourages People To Invest In Bitcoin