Avalanche-based lending protocol Nereus Finance has been the victim of a malicious hack in which a user withdrew $371,000 worth of US dollars (USDC) using a smart contract exploit.
Blockchain cybersecurity firm Certike was one of the first to discover the exploit on Sept. 6, revealing that the attack affected liquidity pools on Nereus linked to decentralized exchange Trader Joe’s and automated market maker Curve Financial.
CertiK also pointed out that the underlying protocols themselves were affected, however, Curve Finance responded via Twitter on September 7, “Probably not ‘affected assets’ but ‘affected protocols’.” Only @nereusfinance and its properties seem to be affected.
On September 7, Nereus Finance released a postmortem detailing the incident in which an “exploitative” AVAX/USDC trader was able to deploy a custom smart contract that used a $51 million flash loan from Aave to artificially manipulate Joe LP (JLP) pool price per block.
We published a post-mortem on the NXUSD event from yesterday. https://t.co/ADhu6PagP2
thank you @peckshield @CertiK— Nereus Finance (@nereusfinance) September 7, 2022
As a result, the anonymous hacker was able to mine 998,000 worth of Nereus’ native token NXUSD with a $508,000 bond. They then diverted this capital into various assets in various liquidity pools and were able to walk away with a net profit of $371,406 once the flash loan was repaid.
The event ended up creating a $500,000 NXUSD “bad debt” in the NXUSD protocol.
Nereus’ team was quick to rectify the situation; After consulting security experts, devising a mitigation plan and informing the law enforcement agencies, they shut down the looted JLP market.
The bad debt was paid off using NXUSD from the group’s treasury.
According to Nereus, the exploitation was the “missing step” in the calculation of value, which led to the possibility of exploitation. However, “no users’ funds are at risk, and NXUSD continues to be held above collateral” and “the lending and borrowing protocol was not affected by this exploit.”
Neres is confident that the same exploit will not happen again as the team will adjust its auditing and security procedures to prevent such incidents from happening in the future.
“While this exploit is an unfortunate event – it is not uncommon for protocols to face these types of combat challenges.”
As of this writing, the Nereus team is trying to identify the hacker and track down the money and has offered a 20% white hat reward for the money back, no questions asked.
Related: Solana-based stablecoin NIRV is down 85% after a $3.5M exploit
Despite this latest Flash Lending exploit and several other notable events throughout the year, Certike’s August 2022 Monthly Skynet Alerts Report, released on September 2, showed a significant decrease in these types of attacks.
Compared to the previous month, August saw a 95 percent drop in credit foreclosures, resulting in total losses of just $745,244, the second lowest this year.
February was still the lowest on record with just over $200,000 from flash loan exploitation.