QuickSwap, a Polygon-based decentralized finance (DeFi) platform, has been exploited for $220,000. This occurred through a flash loans attack “due to a vulnerability with the Curve Oracle,” according to QuickSwap.
QuickSwap DEX Experiences A Flash Loans Attack
QuickSwap, a decentralized exchange built on Polygon, was exploited for more than $220,000, according to the DEX. The attack occurred on the Market XYZ lending market, which according to QuickSwap, was the only compromised platform. The exploit, initially linked to Qi DAO, was first reported by Peckshield, a blockchain security and data analytics company, in a Twitter post saying, “Hi, @QiDaoProtocol, you may want to take a look.” The security analysis firm later clarified that the attack was not linked to Qi DAO, which issues the mimetic stablecoin, and attributed it to QuickSwap, saying:
This followed a clarification by Qi DAO, who told its users over a Twitter post:
“Following the report from @peckshield, we’ve seen some suspicious transactions within a @market_xyz @QuickswapDEX market. This is NOT related to QiDao contracts, and funds on http://mai.finance are safe. We are monitoring the situation. Please keep an eye out for official updates.”
The decentralized crypto exchange later confirmed the exploit of crypto worth $220,000 using flash loans, saying that the platform was halting its services. The Twitter statement read:
“QuickSwap Lend is closing. $220k was exploited in a flash loans attack due to a vulnerability with the Curve Oracle, which @marketxyz was using. Only the Market XYZ lending market was compromised. QuickSwap’s contracts are unaffected.”
The statement assured the users that their investments were safe as the Qi DAO protocol provided the funds used on Market XYZ. The DEX also urged users who had deposited funds in the Market XYZ open markets to “withdraw them now, as we are in the process of closing them down.” “QuickSwap is strongly encouraging Market xyz to compensate Qi Dao for their losses fully, ” the post noted.
So What Now?
Even though QuickSwap promised to provide updates early on Monday, users have waited for more than 36 hours with no clarification on the issue at press time.
According to an initial analysis by QuickSwap, the attacker manipulated prices and borrowed funds at inflated prices. The attacker has since transferred the funds back to ETH and deposited them on Tornado Cash, a mixing service subjected to several sanctions.
QuickSwap is a fork of the Uniswap DEX, one of the most known DeFi applications in the crypto industry. However, unlike Uniswap, QuickSwap does not run on Ethereum but Polygon, the blockchain which hosts the 12th biggest cryptocurrency by market capitalization, MATIC.
DEXs platforms are continuously becoming more and more vulnerable to attacks. Since there is no insurance as there would be on a centralized exchange, as users are entirely in control of their funds, the funds are usually lost forever if they are not recovered.
QuickSwap’s attack is the latest in a growing list of exploits this year, with October already the worst month ever for crypto attacks.