QiDAO Exploited for $13M on Superfluid Vested Contract

Key Takeaways:

Qi Dao informed their users that superfluid’s vesting contract for QI has been exploited.
User funds on QiDao contracts are safe.
The exploit is solely on Superfluid.
QI bridging is temporarily paused.

Today Qi Dao informed their users that superfluid’s vesting contract for QI has been exploited. User funds on QiDao contracts are safe. The exploit is solely on Superfluid. Soon after informing about the exploit, QI gave a quick update.

QI informed that all funds in QiDao are safe and no user funds have been affected. But they are aware there are other tokens affected. QI bridging is temporarily paused. QiDAO faced an exploit on its Superfluid vesting contract which lead to a 65% drop in the price of the governance token QI. QI price fell from $1.24 to $0.18.

1/2

Quick Update. We're still assessing the situation.

– We can confirm that all funds in QiDao are safe.
– No user funds have been affected.
– We're aware there are other tokens affected.
– We'll update the community when we learn more.
– Qi bridging is temporarily paused.
— Qi Dao (@QiDaoProtocol) February 8, 2022

Superfluid confirmed the exploit on QiDAO. According to Superfluid today at 6.48 am GMT they were notified of a potential exploit of the QiDAO vesting contract. The contract leverages Superfluid code. Superfluid is investigating the incident and will update people accordingly. The protocol enables users to move assets on-chain in a constant flow in real-time from one wallet to another.

Superfluid is investigating a potential protocol layer exploit. As a precaution, they request people to unwrap all their SuperTokens. The attackers might be targeting wallets/contracts with large amounts.

The QI Vesting contract on Superfluid has been exploited. According to MistTrack, the attacker's address (0x157…090 ) has earned over $13m, including QI, WETH, USDC, SDT, MOCA, STACK, sdam3CRV, and MATIC and exchanged some QI, USDC, SDT, MOCA, STACK for ETH through 1inch. https://t.co/VIHxAJvQn2
— Wu Blockchain (@WuBlockchain) February 8, 2022

While there was no impact on the user’s funds, the hackers responsible for the attack were able to escape with $20 million in tokens, including 24 WETH, 562,000 USDC, 44 SDT, 1.5 million MOCA, 23,000 STACK, and nearly 40,000 sdam3CRV. According to early reports, the stolen funds belonged to some of the project’s early backers and included team vested tokens as well.

Polygon’s native stablecoin protocol QiDAO faced an exploit on its Superfluid vesting contract leading to a 65% drop in the price of the governance token QI. QI price fell from $1.24 to $0.18.QiDAO took to Twitter on Tuesday to acknowledge the exploithttps://t.co/VCBjVfrNN6 pic.twitter.com/8ApRFaUXTw
— droptown.io (@droptown_io) February 8, 2022

SlowMist created a fund tracker that shows the balance of each stolen token. They estimated that the hackers stole about $13 million in cryptocurrencies after analysing the wallet transaction data. After SlowMist analysis, the attackers exchanged some QI, USDC, SDT, MOCA, STACK for ETH through 1inch; exchanged 39,357.25 sdam3CRV to 43,910.09 amDAI. The attacker’s address (0x157…090 ) currently has a balance of 11,016.60 MATIC, 507,930.87 MOCA, 2,707.91 ETH, and 43,910.39 DAI.

The attackers began dumping stolen QiDAO on Quickswap DEX with high slippage, resulting in a 65% drop in the price of the governance token. The Polygon community took advantage of the opportunity to buy the dip, allowing the governance token to rise to $0.6 after falling below $0.18.

According to @QiDaoProtocol , the QI Vesting contract on Superfluid has been exploited.

1) After MistTrack analysis, the attacker's address (0x157…090) has made a profit of more than 13 million US dollars, including QI, WETH, USDC, SDT, MOCA, STACK, sdam3CRV and MATIC.
— SlowMist (@SlowMist_Team) February 8, 2022