Avalanche-based Nereus Finance Suffers Flash Loan Attack: Post-Mortem
- Nereus Finance has recently witnessed an attack that resulted in a loss of $371,000 worth of user funds in the form of USD Coin (USDC) using a smart contract exploit.
- CertiK first detected the hack and its impact on liquidity pools on Nereus in connection with automated market maker Curve Finance and decentralized exchange Trader Joe.
Avalanche-based lending platform Nereus Finance has recently witnessed an attack that resulted in a loss of $371,000 worth of user funds in the form of USD Coin (USDC) using a smart contract exploit.
On September 6, the renowned blockchain cybersecurity firm CertiK first detected the hack and its impact on liquidity pools on Nereus in connection with automated market maker Curve Finance and decentralized exchange Trader Joe.
CertiK also believes that the underlying protocols are also impacted by the crafty attack. However, according to Curve Finance, only Nereus is impacted.
It stated on Twitter on September 7:
“Maybe you meant ‘assets impacted,’ not ‘protocols impacted’. Only [Nereus Finance] and its assets seem impacted.”
Notably, Nereus Finance recently released a detailed post-mortem of the attack, which clearly explains that the hacker deployed a custom smart contract that used a $51 million flash loan from Aave to intentionally manipulate the AVAX/USDC Trader Joe LP (JLP) pool price.
Later on the night of September 6, Nereus used the community discord to alert the community about an assault. It sought the advice of security specialists, created a mitigation plan, and alerted law enforcement to support efforts in the hours that followed. According to the report, the lending platform has minimized the attack by liquidating and pausing the exploited JLP market.
Nereus Finance further confirmed that the attacker minted $998,000 worth of Nereus’ native utility token NXUSD against $508,000 worth of collateral. They went on to swap this fund into different cryptocurrencies via multiple liquidity pools, and once the flash loan was returned, they managed to run away with a net theft of $371,000. The attack created $500,000 worth of NXUSD “bad debt” in the NXUSD protocol, which was reportedly paid off by the team’s treasury.
The Nereus team is currently working to find the attacker and funds and has decided to offer a 20% White Hat reward for the return of the assets.
Moreover, since Nereus claims to be changing its “audit and security policies to ensure these types of events do not occur in the future,” it is also certain that the same exploit won’t occur again.
“Going forward, TWAP calculations will be implemented along with other upgrades to pricing feeds for collateral assets that do not have Chainlink oracles,”
the lending protocol states.