Polygon based decentralized exchange QuickSwap stopped its lending pool after the hack of $220,000 worth of tokens in a flash loan attack on Monday, Flash loans are provided by DeFi networks without any collateral as long as the loan is repaid in the same transaction.
QuickSwap informed about the hack to its users and tweeted about closing the Lending service, QuickSwap assured that the hack did not affect the funds of the users and that the smart contracts are also unaffected.
Later then QuickSwap terminated the support for Market XYZ and requested compensation for the loss made to QiDao.
⚠️QuickSwap Lend is closing⚠️
🔗$220k was exploited in a flash loans attack due to a vulnerability with the Curve Oracle, which @marketxyz was using
☣ Only the Market XYZ lending market was compromised. QuickSwap’s contracts are unaffected
— QuickSwap (@QuickswapDEX) October 24, 2022
QiDao creators of stablecoin $MAI miMatic, tweeted that this hack is not related to their smart contracts.
A highlight of how QiDao & $MAI avoid issues with collateral assets👇
– Risk Management
– New asset onboarding process
— Qi Dao (@QiDaoProtocol) October 24, 2022
PeckShield. a blockchain security and data analytics company, in a tweet, explained that it was a price manipulation issue the hacker compromised the CurvePoolOracle price and borrowed the funds at a newly inflated price.
It is a price manipulation issue. The miMATIC market
uses CurvePoolOracle for price feed, which is manipulated to borrow funds from the market https://t.co/kDv10Zp2nz @market_xyz @QuickswapDEX @QiDaoProtocol https://t.co/muXdhubeJD pic.twitter.com/l5uWb5ynQQ
— PeckShield Inc. (@peckshield) October 24, 2022
The data shows, the attacker manipulated the price of the token by borrowing funds with a flash loan and used the inflated values as collateral which drained all liquidity from the QuickSwap pool.
Tokens including MATIC, Lido’s LDO, and staked MATIC were exchanged on privacy mixer Tornado Cash.