DeFi App Steadefi Grapples With Major Exploit, All Funds At Risk

Steadefi has become the latest DeFi entity to be hit with an exploit, with the company stating in a tweet on X that all the funds it currently holds are at risk of becoming irrecoverable. 

Recent hacks have taken a toll on the space and have put considerable strain on public trust in DeFi apps.

Details Of The Hack 

News of the attack first became public on the 7th of August, when it emerged that the decentralized finance app was hit by an exploit of at least $334,000. While the attack was ongoing, the protocol’s development team put out a message on X, stating that the attack had put all funds held on the platform at risk and they could become irrecoverable. As a result, the app’s total value locked (TVL) fell off a cliff, according to data from DefiLlama. The team posted a message stating, 

“NOTICE: Steadefi has been exploited, and all funds are currently at risk.”

The team, while confirming the attack, posted a follow-up message on X and explained how the attack occurred. According to the message, the hacker managed to gain access to the private key of the team’s deployer wallet and perform OwnerOnly functions. After gaining access to OwnerOnly functions, the hacker executed several OwnerOnly actions, such as allowing any wallet to borrow funds from lending vaults. 

The team further stated that the attacker managed to drain all loanable funds. However, it assured users that all collateral held in vaults and not lent out was secure. This is because the app does not contain OwnerOnly functions to remove deposits. This means those users who deposited funds to the app’s “strategy” vaults could withdraw some of their funds. 

Farming Contracts Stopped 

Meanwhile, the hacker also stopped farming contracts through an OwnerOnly function. This means all users who deposited svTokens or ibTokens to farms are currently unable to withdraw their funds. The post states that the funds are essentially stuck in the app’s contracts, with token holders who deposited into the farms left in the lurch. 

According to details currently available, the tokens transferred to the address in question include 130,429 USD Coin, 3.39 BTC, 6184 Avalanche (AVAX), and 15 Wrapped Ether (WETH). Apart from the Wrapped Ether, all other tokens were immediately swapped for WETH. The attacker then bridged 184 WETH to another network via the Synapse Bridge. 

Steadefi Attempts To Negotiate With Hackers 

The development team also confirmed that it is attempting to negotiate with the hackers and has sent an on-chain message to the hacker’s address, 0x9cf71F2ff126B9743319B60d2D873F0E508810dc, on Ethereum. Blockchain data has revealed that the address saw a large number of inflows on the Avalanche Chain. The development team seems to have taken a leaf out of Curve Finance, Metronome, and Alchemix’s playbook, offering 10% of the stolen funds as a bounty in return for the remaining 90%. The team also told the hacker that should they return the funds, there would be no involvement of law enforcement agencies or legal actions. 

“Steadefi would like to discuss a bounty with any parties who were involved in the recent Steadefi exploit. We are offering a 10% bounty of any funds stolen, which are yours to keep if you return the remaining 90%.”

However, like Curve, in a stark warning, the team added that should the hackers refuse the offer, Steadefi would offer the 10% as a bounty to anyone in the public who could identify or supply information that leads to a conviction. Clearly, Steadefi hopes to see the funds return without any further complications. However, the platform is more than willing to fight for the funds should it need to. The offer expires on the 10th of August at 0800 UTC. 

“You will have no risk of us pursuing this further, no risk of law enforcement issues, etc. If you choose not to partake in the voluntary return and complete the process by the 10th of August at 0800 UTC, we will expand the bounty to the public and offer the full 10% to the person who is able to identify you in a way that leads to your conviction in the courts. We will pursue you from all angles with the full extent of the law.”

DeFi’s Hacker Headache 

Crypto and DeFi remain highly vulnerable to bad actors, even as the space looks for wider acceptance. Last month, Coinspaid fell victim to an attack orchestrated by the dreaded Lazarus Group, a North Korean-backed hacker group. An analysis showed how the breach occurred and found multiple vulnerabilities in Coinspaid’s security. At the beginning of August, decentralized exchange LeetSwap suspended trading thanks to fears of a potential exploit. Bankrupt crypto platform Voyager also suffered a breach in the middle of its court-supervised recovery process. Another August heist saw a scammer steal around $20 million worth of USDT through a zero transfer phishing attack. However, Tether was quick to respond, freezing the attacker’s address and blacklisting them.

Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.