Decentralized finance (DeFi) platform Team Exchange was hit by a devastating attack yesterday that cost the service over $14.5 million in crypto tokens.
The perpetrators exploited a smart contract bug in the platform’s protocol migration feature, letting them transfer liquidity from Team Finance Uniswap v2 assets to a rogue v3 pair with skewed pricing.
“$14.5M USD of tokens were exploited through the audited v2 to v3 migration function,” Team Finance announced on Twitter. “We have temporarily paused all activity through team finance until we are certain this exploit has been remedied. All funds currently on Team Finance are not at further risk of this exploit.”
The threat actors made away with USD Coin (USDC), TSUKA, CAW and KNDA tokens worth more than $14.5 million at the time of the incident.
“The protocol has a flawed migrate() that is exploited to transfer real UniswapV2 liquidity to an attacker-controlled new V3 pair with skewed price, resulting in huge leftover as the refund for profit,” tweeted blockchain security firm PeckShield Inc. “Also, the authorized sender check is bypassed by locking any tokens.”
While Uniswap v3 is deemed a more efficient protocol for liquidity providers (LP), v2 contracts were still left operational on the decentralized exchange. Furthermore, users who wanted to migrate their liquidity from v2 to v3 needed to do so through a migration smart contract.
Team Finance is urging the attackers to get in touch to discuss a bug bounty payment and says that the vulnerable smart contract was previously audited by a “reputable audit firm.” Furthermore, the company notified affected projects about the exploit, blacklisted the exploiter’s wallet on Etherscan, and requested that the wallet be blocked on other exchanges.