Superfluid’s vesting contract for QI hacked, funds on QiDao contracts unaffected

Superfluid’s vesting contract for QI hacked, funds on QiDao contracts unaffected

By Sam Grant - min read
Updated 21 March 2023
  • The hack on Polygon stablecoin QiDao comes barely a day after Polygon Network completed a $450 million private token sale
  • QiDao protocol shared an update, confirming that user funds on QiDao contracts are safe

Mai Finance creator QiDao has been exploited to a tune of $13 million. The Polygon's native stablecoin protocol shared a Twitter post a few hours ago revealing that its Superfluid vesting contract had been compromised.

"Superfluid's vesting contract for QI has been exploited. User funds on QiDao contracts remain safe. The exploit is solely on Superfluid. We will release an update when we know more," QiDao wrote.

The team sent a quick update via a follow-up post detailing that the situation was still under assessment. The update also specified that no user funds had been affected and that Qi bridging had been suspended for the time being.

"We're still assessing the situation. We can confirm that all funds in QiDao are safe. No user funds have been affected. We're aware there are other tokens affected. We'll update the community when we learn more. Qi bridging is temporarily paused."

QI token price dips

Although the news of the exploit hadn't made headlines on many crypto news outlets at the time, it left a massive dent in the market value of the governance token QI. The price of QI plunged from $1.238 right before the exploit was reported to $0.166 in less than two hours as the perpetrator(s) dumped the tokens on Quickswap.

QI/USD trading chart. Source: CoinMarketCap

 Market data shows that the token has hemorrhaged 40% of its value in the last 24 hours. Many investors rushed to buy QI at a low price, consequently pushing the price higher. QI is now trading at $0.73 as per CoinMarketCap.

Superfluid, which describes itself as a 'DeFi primitive to automate recurring transactions and monetise Web3', is a smart contract framework that operates on Ethereum.

The Superfluid Twitter team acknowledged the exploit on QiDAO and warned users to "avoid interactions with Superfluid smart contracts until further notice." The team also asked users to unwrap their SuperTokens as they could be targeted by the malicious actor(s).

The attacker(s) stole an estimated $13 million worth of tokens, probably from the team vested token pool since user funds weren't affected. CoinTelegraph reports that these tokens include 1.5 million MOCA, 562,000 USDC, 40,000 sdam3CRV, 23,000 STACK, 44 SDT, and 24 WETH.

Worth noting, the exploit comes less than two months since Superfluid launched MAIx, allowing users to stream MAI (miMatic). Previously QiDao leveraged Superfluid to stream QI tokens to contributors on Polygon.