The Polygon (MATIC) based DEX says $220,000 worth of tokens were stolen following an exploit of DeFi platform Market XYZ.
The platform says the incident stems from a flaw in automated market maker (AMM) Curve Oracle, which Market XYZ was using.
⚠️QuickSwap Lend is closing⚠️
— QuickSwap (@QuickswapDEX) October 24, 2022
🔗$220k was exploited in a flash loans attack due to a vulnerability with the Curve Oracle, which @marketxyz was using
☣ Only the Market XYZ lending market was compromised. QuickSwap's contracts are unaffected
🪡🧵👇1/3 pic.twitter.com/oWNz7BAujT
“QuickSwap Lend is closing. $220,000 was exploited in a flash loans attack due to a vulnerability with the Curve Oracle, which Market XYZ was using.”
QuickSwap says the hack did not affect any user funds and clarifies that the DEX’s contracts haven’t been compromised.
However, the platform is terminating support for Market XYZ, and urges the platform to compensate for the losses of stablecoin creator Qi Dao, which provided the pool’s seed funds.
“We are encouraging users with funds deposited in Market xyz’s open markets on QuickSwap to withdraw them now, as we are in the process of closing them down.
Blockchain security firm Peckshield says the attack was achieved by compromising Curve Oracle’s price feed, and then borrowing funds based on the new inflated price.
Note that this specific bug was recently disclosed by @chain_security on Oct 11 https://t.co/SXePgm5HHg.
— PeckShield Inc. (@peckshield) October 24, 2022
“It is a price manipulation issue. The miMATIC market uses CurvePoolOracle for price feed, which is manipulated to borrow funds from the market.”
Peckshield also says blockchain security firm ChainSecurity reported the vulnerability earlier this month.
The DeFi space has already seen several large exploits this month, including Olympus decentralized autonomous organization (DAO) and Mango Markets DAO.
