Vesting Contract for Polygon DeFi Protocol QiDAO Exploited for $13 Million

Polygon-based DeFi protocol QiDAO fell victim to an exploit of its Superfluid vesting contract on Tuesday, resulting in a loss of approximately $13 million.

The QiDAO protocol allows users to borrow stablecoins at 0% interest against their crypto holdings.

QiDAO acknowledged the exploit via Twitter; however, the team stressed that the vesting contract was exploited through a vulnerability in Superfluid, a smart contracts framework on Ethereum that enables users to transfer assets on-chain, rather than QiDAO itself.

Last year, Superfluid raised $9 million in a seed round from a group of private investors and venture capital firms.

While QiDAO insists that user funds are safe, crypto analytics SlowMist estimates that hackers managed to get away with more than $13 million in various tokens, including QI, WETH, USDC, SDT, MOCA, STACK, sdam3CRV, and MATIC.

QiDAO token plummets

The team at Superfluid confirmed it was “notified of a potential exploit of the QiDAO vesting contract that leverages Superfluid code,” adding that it is currently investigating the incident.

Users are also urged to “exercise caution and avoid interactions with Superfluid smart contracts until further notice.”

Following the incident, the price of the QiDAO governance token, Qi, plummeted by more than 70%, from $1.24 to $0.18 before rebounding to $0.70 by press time, according to CoinGecko.

The exploit also comes a day after Polygon, an interoperability and scaling protocol for creating Ethereum-compatible blockchains, raised $450 million in a funding round led by Sequoia Capital India.

Polygon’s native token, MATIC, is up 6.6% over the day, currently changing hands at $1.90 per CoinGecko.