AVATerra Finance is a revenue aggregation protocol that launched on the Avalanche network on October 20, 2021. The next day, the protocol was the victim of a hack in which the attacker minted thousands of tokens that they then dumped.
Inside the Attack
AVATerra Finance is a fork of Goose Finance but is not a straight fork. Before deploying the contracts, the AVATerra team made some modifications to customize the code to their needs.
One of these modifications was the creation of a token minting function, which would create a certain number of tokens and send them to a specified address. Many smart contracts have functions like this with access restricted to the project developer.
The problem with AVATerra Finance is that it created this minting function without any access controls, making it publicly callable by anyone. The attacker noticed this and used the function to mint thousands of tokens that they then dumped, causing the value of the token to plummet.
Lessons Learned From the Attack
Forking a successful project can be a quick way to develop and launch a new project. If that project’s contracts have undergone and passed a security audit, then the new project inherits that strong security.
However, all of this goes out the window if edits are made to a smart contract after the security audit. The AVATerra Finance hack is a prime example of the importance of performing a security audit before launching any contract or code edits. A simple access control error left the contract vulnerable to attack and killed the project within a day of its launch.