Nereus Finance, an Avalanche-based lending protocol, fell victim to a smart contract loan exploit, losing $371,000 in USD Coin (USDC), CoinTelegraph wrote.
Blockchain cybersecurity company CertiK first revealed the attack two days ago, indicating that it had affected Nereus-based liquidity pools, related to Trader Joe, a decentralized exchange, and AMM Curve Finance.
Only assets impacted, not protocols
The cybersecurity firm also suggested that the exploit affected the underlying protocols. Curve Finance tweeted on September 7 that it was only the assets that had been impacted, not the protocols, and “only Nereus Finance and its assets seem impacted.”
Hacker used $51m flash loan from Aave
Nereus Finance revealed that a hacker deployed a custom smart contract, which used a $51 million flash loan from Aave to manipulate the pool price artificially. The specific price was related to the AVAX/USDC liquidity pool of the DEX Trader Joe.
The hacker minted just under a million NXUSD, Nereus’ native token, in exchange for collateral worth $508,000.
They then used different liquidity pools to exchange the funds into various assets, netting a profit of $371,406 after returning the flash loan.
The ultimate result was bad debt in the amount of $500,000 in the NXUSD protocol.
Nereus with speedy mitigation plan
Nereus took speedy measures. The team paused and liquidated the exploited market after informing law enforcement, talking to security experts, and creating a mitigation plan. Reportedly, the treasury was used to pay off the bad debt in NXUSD.
Nereus reported that the exploit was due to a “missed step” in the calculation of the price. The team emphasized that no user funds were at risk, and NXUSD was still overcollateralized. The exploit affected neither the lending nor the borrowing protocol.
The platform is certain this will never happen again because the team will change its security and audit practices to prevent such exploits moving forward. The team stated, “While this exploit is a bad incident — it’s not uncommon for protocols to face these types of battle tests.”
Nereus offers 20% for return of funds
Nereus is working on tracing the stolen funds and identifying the hacker. They are offering a 20% reward to any White Hat hacker who’s able to retrieve the money.
While such exploits continue, they are slowing down. In August, there were 95% fewer flash loan attacks than in July. A total of $745,244 was lost that month, the second lowest in 2022. The worst month for attackers was February.