Midas Capital suffered a $660,000 exploit after an attacker used a flash loan exploit on a Jarvis Polygon pool. The team has released a postmortem explaining what happened.
DeFi lending and borrowing platform Midas Capital has released a postmortem on the $660,000 exploit it experienced on Jan. 16. Midas Capital paused the borrowing on the Jarvis Polygon pool, which was the source of the exploit. The team said that a suspicious transaction used a recently added collateral token.
Not long after the exploit, the team released the postmortem. It stated that Midas listed the WMATIC-stMATIC Curve LP token only a few days ago. This was not yet announced and had a supply cap of $250,000.
The Jarvis Network team and Midas Capital were discussing adding new collateral options and placing supply caps to prevent large borrows. This wasn’t enough to prevent the exploit, which was the popular flash loan kind that has plagued the market for years.
The flash loan exploit saw the attacker inflation the price of the LP token, borrowing against it. They made away with over $660,000 of jAssets. The team admitted that it made a judgment error, thinking that the reentrancy would it had seen in the past would not affect the chain’s native ‘raw_call’ function.
Devs Reach Out to Offer Bounty
The developers have made attempts to recover the funds. They have reached out to the attacker in the hopes that they will return it, offering a bug bounty in return. So far, there have been no updates on whether the attacker has responded.
Meanwhile, the team is looking at other ways to deal with the losses. They are conducting internal processes to prevent a repeat of the attack. It notes that establishing borrowing limits on newly added collateral or having a cooldown period would have limited the attack surface.
The Midas Capital team claims it will focus on exercising caution when adding new collateral and work on developing a risk assessment framework. It also plans to add more checks and balances.
DeFi exploits continue to haunt the market, and these don’t seem to have waned in the past year. In 2022, the value of losses that the crypto and DeFi market hit was $3.9 billion, with ImmuneFi highlighting that there were 168 incidents. Only $204 million was recovered, amounting to 5.2% of the total value.
However, white hat hackers have contributed towards security considerably. They have saved over $20 billion from hacks in 2022, and perhaps this might reduce the value lost in 2023. Even the FBI has chimed in, offering safety tips to DeFi users.
Disclaimer
BeInCrypto has reached out to company or individual involved in the story to get an official statement about the recent developments, but it has yet to hear back.
Source: https://beincrypto.com/midas-capital-releases-660000-exploit-post-mortem-defi-attacks-carry-into-2023/