$371K in USDC stolen in an Avalanche flash loan exploit

$371K in USDC stolen in an Avalanche flash loan exploit

By Charles Thuo - min read

Avalanche-based lending protocol Nereus Finance was hacked and $371K in USD Coin (USDC) was stolen. The hacker deployed a custom smart contract taking advantage of a $51 million flash loan from Aave.

CertiK, a blockchain cybersecurity firm, was among the first to detect the hack on September 6. CertiK at the time said that the exploit impacted liquidity pools relating to decentralized exchange Trader Joe and automated market maker Curve Finance on Nereus

But Curve Finance responded on September 7 arguing that maybe CertiK was referring to ‘assets impacted’ rather than protocols impacted since only Nereus Finance and its assets seemed affected by the exploit.

Post-mortem of the exploit

On September 7, Nereus Finance released a comprehensive post-mortem of the exploit saying that the hacker was able to deploy a custom smart contract targeting a $51 million flash loan from Aave to manipulate the price of AVAX/USDC Trader Joe LP pool for a single block.

Consequently, the hacker was able to mint 998,000 NXUSD, Nereus’ native token, using collateral worth $508,000. The hacker then swapped the minted NXUSD into different assets through several liquidity pools and managed to walk away with a net profit of $371,406 after the flash loan was returned.

While the hacker made a profit, the exploit created $508,000 worth of NXUSD ‘bad debt.’

Nereus was however quick to arrest the situation by developing a mitigation plan, notifying law enforcement, and then liquidating and pausing the exploited JLP pool. The NXUSD bad debt was paid off using the protocol’s treasury.

Nereus also noted that a similar exploit will not be possible in future since the protocol will amend its audit and security practices. Nereus noted:

“While this exploit is a bad incident — it’s not uncommon for protocols to face these types of battle tests.”

As of the time of writing, the Nereus team was still trying to identify the hacker by tracking the funds. It has offered a 20% White Hat reward for the return of the funds with no questions asked.