After the exploitation of $220,000 worth of tokens, QuickSwap, a Polygon-based DeFi, ceased its lending services for users. The hackers manipulated token prices by borrowing funds using a flash loan. They used the inflated values as collateral to drain all liquidity from the affected QuickSwap pool.
Data showed that stolen tokens including MATIC, Lido’s LDO, and staked MATIC were exchanged for other tokens on the Tornado Cash. QuickSwap said its closing QuickSwap Lend as $220k was exploited in a flash loans attack because of vulnerability with the Curve Oracle. It should be noted that flash loans are provided by some DeFi networks and do not require the borrower to post collateral as long as the loan is paid back in the same transaction.
Initially, QuickSwap reasoned the exploit to a vulnerability with a Market XYZ platform which used faulty oracles from DeFi protocol Curve and QiDao – a stablecoin issuer. QiDao stated that the exploit was unrelated to its smart contracts. Even though QuickSwap said it would publish an update on the incident, there has been no further information.
PeckShield said the exploit was actually a price manipulation. It said the mimetic market uses CurvePoolOracle for price feed, which is manipulated to borrow funds from the market. The firm’s analysis outlined that the exploit used price manipulation to borrow funds at an inflated price, but the hacker bridged the funds back to Ethereum before depositing them on Tornado Cash.
However, no user funds were compromised in the exploit.