An unknown person exploited a vulnerability in the Team Finance DeFi protocol and withdrew $15.8 million worth of cryptocurrency assets.
According to PeckShield experts, the attacker used a bug in the token migration function. He sent real liquidity from Uniswap V2 to new pairs on the third version of the protocol with a “distorted” price, returning a “huge profit”.
To implement the attack, he needed only 1.76 ETH worth ~$2730 at the time of writing.
The attacker transferred funds from the FixedFloat automated crypto exchange.
As a result, an unknown person withdrew from Uniswap V2:
~$15.4 million in Hunters Dream Tokens (CAW);
~$1.7 million in Dejitaru Tsuka (TSUKA);
~$2.6 million in WETH.
The Team Finance team confirmed the incident and stated that the function used by the attacker had been audited. The developers launched an investigation and offered the hacker to discuss a refund for a reward.
“We are temporarily suspending all operations through Team Finance until we are sure that the exploit has been eliminated. All funds currently in the protocol are not at further risk due to this vulnerability,” the team added.