Team Finance is a decentralized finance (DeFi) platform that allows projects to lock their liquidity to prevent a “rug pull.” The company locks tokens in non-custodial smart contracts. Team Finance said it is working with different security and blockchain investigation companies to assess the situation and find a solution. It has also reached out to the unidentified hacker, urging them to get in touch “to discuss possible resolutions.” Meanwhile, the hacker’s wallet address has been blacklisted on Etherscan and has been shared with crypto exchanges. “We are working diligently to resolve this situation as quickly as possible,” Team Finance stated. “We will keep you updated as new information becomes available.”
Vulnerability in Migration Function
Team Finance said the attacker exploited a vulnerability in its Uniswap v2 to v3 migration function to steal the tokens at 2 AM Pacific time on Thursday. This function is a contract that allows users to migrate their liquidity pools from Uniswap v2 to v3. According to Team Finance, a leading firm audited the contract. However, the flaw appears to have been undetected. Blockchain security company PeckShield said the flaw in the migration function gave the attacker the ability to manipulate the price of liquidity tokens when transferring from v2 to v3. “The protocol has a flawed migrate() that is exploited to transfer real UniswapV2 liquidity to an attacker-controlled new V3 pair with skewed price, resulting in huge leftover as the refund for profit,” PeckShield explained. According to PeckShield, the attacker used just 1.76 ETH (approximately $2,700) to launch the attack and stole tokens worth $15.8 million. The incident affected four projects; CAW – A Hunters Dream ($11.5 million), Dejitaru Tsuka ($1.7 million), Kondux ($700,000), and Feg ($1.9 million). Team Finance said it has reached out to the affected projects and is keeping them updated. The company said all other functions on its platform are working properly, and other funds are not at risk.
Hackers are Targeting Crypto Assets
There has been an uptick in crypto heists in recent months. The amount stolen from Team Finance pales compared to other DeFi hacks. In December last year, a hacker stole $600 million from Poly Network in the largest-ever crypto heist to date. Beanstalk Farms, a credit-based stablecoin protocol, also lost $182 million after a hacker breached its platform. And, in September, a hacker made away with over $160 million worth of tokens from the DeFi platform Wintermute. Hackers are not only targeting DeFi companies but also individuals who invest in crypto. According to the Federal Trade Commission (FTC), between January 2021 to March 2022, over 46,000 people lost about $1 billion to crypto scams. Check out our article on Bitcoin and cryptocurrency scams to learn how to protect your crypto assets.