In what appears to be the first major hack in the Avalanche ecosystem, decentralized finance (DeFi) protocol Zabu Finance has been exploited in a smart contract bug for over $3.2 million.
Zabu Finance Exploited for $3.2 Million
The DeFi startup revealed that the attacker had exploited the Transfer Tax mechanism of the protocol to mint tokens resulting in the token price to collapse.
Taking advantage of a vulnerability in the contract used by yield farms for distributing rewards, the attacker used the same mechanism used in PolyYeld Finance exploit in July and Garuda and Cerburus exploit a month prior.
The hacker interacted with the contract to remove 4.5 billion ZABU tokens to accumulate liquidity provider tokens in other farms on the Avalanche Pangolin and Trader Joe DEXes which were then later sold out for $600,000.
DeFi Industry Has Lost Over $1.6 Billion Since 5 Years
Following the hack, Zabu set the rewards to zero so that users could withdraw their funds. The DeFi company is also planning to distribute its ZABU v2 tokens for the affected and restart the farm as v2 with a Zabu v1 staking pool for those who bought the token after the hack.
The removal of ZABU tokens resulted in the prices of the token collapsing close to zero. Data from CoinGecko showed that ZABU was trading at around $0.004 yesterday and is currently now at $0.00002373 at the time of writing.
Zabu Finance is the latest DeFi protocol to have been exploited this year. According to DeFiYield’s REKT database, the DeFi industry has lost over $1.6 billion to hacks, scams, and rug pulls over the past five years.