- On December 21st, 2021, a malicious contract drained Visor Finance’s staking contract of 8,812,958 VISR tokens.
- They will be launching a new token that replaces the old one.
- They have already begun the process of listing the new token on various registries.
On December 21st, 2021, 02:29:11 PM UTC, a malicious contract drained Visor Finance’s staking contract of 8,812,958 VISR tokens. The Visor team appears to be working on a solution, but the token’s value has plummeted as a result. At the time, VISR was trading at roughly $0.93, bringing the total losses to around $8.2 million. The incident mainly affects VISR stakers and token holders because it has plummeted since the attack.
The attack was made possible by implementing the IVisor delegateTransferERC20 interface and calling the staking contract’s withdraw function with the desired VISR amount. Dependence on arbitrary IVisor delegateTransferERC20 implementation by caller allowed the attack to occur. The exploit was first brought to the attention of Visor Finance via Twitter.
They said in their statement that when they suffered an exploit previously in their guarded launch, they replaced users’ funds. The same goes for this time, there will be no different as they are restoring VISR holders and vVISR stakers. They have outlined a remedy that will be swift.
According to their Post-Mortem, the staking contract should not rely on a user-provided contract to implement the required transfer function. The staking contract should instead rely on a fixed transfer implementation such as ERC20.transferFrom. Visor Finance said in their report that they are engaged with both Quantstamp and ConsenSys Diligence for December and January audits. This new staking contract will be included with them.
They will be launching a new token that replaces the old one. It will be confusing if the ticker stays the same. What they have opted to do is replace the old VISR token ticker symbol with the new one. All tokenomics will stay the same and there will be a redemption (from the time of the snapshot) of 1:1 with the new token, including those staked in the vVISR contract and those staked in Tokemak.
They have already begun the process of listing the new token on various registries in order to make sure the new token is visible and recognized by dexes and wallets starting day one. No one should buy VISR as it will not be redeemable for the new token.