On September 12, 2021, the Zabu Finance project was the victim of an attack. By exploiting a vulnerability in the project’s smart contract, the attacker was able to steal $3.2 million in ZABU tokens. This is the first hack of a DeFi project hosted on Avalanche.
Inside the Attack
The Zabu Finance hack took advantage of how the smart contract recorded the number of tokens staked by a user. The SPORE token is designed to generate rewards for holders by charging a small fee for each transfer of them. This fee is then distributed to token holders as rewards.
The ZABUFarm contract recorded the number of SPORE tokens that the attacker staked rather than the actual number of tokens received by the contract (i.e. after the fee was extracted). When the attacker attempted to withdraw stake from the contract, they were credited with the full amount of their stake, meaning that the contract’s liquidity was slowly drained down to near-zero.
The ZABUFarm contract’s reward logic is based on the ratio of accumulated block rewards to the number of staked SPORE tokens within the contract. After performing this attack, there were nearly no SPORE tokens in the contract, meaning that the staking reward of the contract is calculated as a very high value. The attacker took advantage of this fact to drain the contract’s reward pool, causing its value to drop to zero.
Lessons Learned From the Attack
The Zabu Finance hack took advantage of the fact that the ZABUFarm contract does not appropriately manage deflationary tokens which charge a fee on transfers. However, this is not the first time this has occurred. An attack against PolyYeld Finance in July 2021 took advantage of an identical vulnerability in its Masterchef pool to steal xYELD tokens and cause the value of YELD to drop to zero.
This exploit underscores the importance of undergoing smart contract audits before deploying contracts and monitoring DeFi hacks. The exploit against PolyYeld should have warned similar contracts to add support for deflationary tokens in the MasterChef pools.