Let's Talk

Explained: The AVATerra Hack (October 2021)

Rob Behnke

AVATerra Finance is a revenue aggregation protocol that launched on the Avalanche network on October 20, 2021.  The next day, the protocol was the victim of a hack in which the attacker minted thousands of tokens that they then dumped.

Inside the Attack

AVATerra Finance is a fork of Goose Finance but is not a straight fork.  Before deploying the contracts, the AVATerra team made some modifications to customize the code to their needs.

One of these modifications was the creation of a token minting function, which would create a certain number of tokens and send them to a specified address.  Many smart contracts have functions like this with access restricted to the project developer.

The problem with AVATerra Finance is that it created this minting function without any access controls, making it publicly callable by anyone.  The attacker noticed this and used the function to mint thousands of tokens that they then dumped, causing the value of the token to plummet.

Lessons Learned From the Attack

Forking a successful project can be a quick way to develop and launch a new project.  If that project’s contracts have undergone and passed a security audit, then the new project inherits that strong security.

However, all of this goes out the window if edits are made to a smart contract after the security audit.  The AVATerra Finance hack is a prime example of the importance of performing a security audit before launching any contract or code edits.  A simple access control error left the contract vulnerable to attack and killed the project within a day of its launch.

LET’S CONNECT

We’re looking for passionate, blockchain-loving, offensive security engineers and white hat hackers to join the team.

For secure communications, use [email protected]

Contact Us

crossmenuchevron-down linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram