Vestra DAO (VSTR) 智能trac在推出不到一个月后就被利用
Vestra DAO 似乎已被黑客攻击。链上分析师注意到可疑活动,其中 VSTR 代币(该协议的原生 ERC-20 代币)从可用的智能trac中转移并立即发送到 Tornado 混合器。
截至报告发布时,至少价值 48 万美元的代币已被盗。虽然最初的攻击相对较小,但其他参与者仍然面临风险。链上研究员 Chaofan Shou 首先注意到了该漏洞,并建议所有用户撤回权限。
Vestra DAO @Vestra_DAO刚刚遭到黑客攻击,并且仍在继续。已经损失 48 万美元,未来还会损失更多。立即撤回您的股份并提取流动性。 pic.twitter.com/0b9i1lhrEw
—手超凡 (@shoucccc) 2024 年 12 月 4 日
The exploit has affected the VSTR token staking contract, with the funds immediately liquidated and sent to the Tornado mixer. For VSTR, more than 65% of the tokens are locked for governance, with over 34B tokens.
The affected smart contract holds the remaining 755M VSTR tokens, making up 1.51% of the total supply. Despite the attack against a relatively small token, the subsequent market crash erased even more value from the project. For now, Vestra DAO may have enough VSTR in its reserves to compensate users, while trying to repair its reputational damage.
Exploiter waited for a month before exploiting a contract logic flaw
The exploiter sold in a rush, paying 0.51 ETH to Beaverbuild for priority inclusion in a block. Vestra DAO’s locked staking contract was affected, directly sending out VSTR tokens.
For hours, the exploiter sent out spam transactions for 520K or 500K VSTR to the contract, in the end, trading $480K in total. The attack exploited a logic flaw in the contract, which allowed the hacker to receive 20,000 VSTR after each transaction.
On-chain analysis showed that the attacker first staked VSTR to the contract 30 days ago, lurking and studying the contract’s flaw. Then, the automated series of transactions started extracting VSTR with each iteration of staking and unstaking.
The data checks on every deposit and withdrawal did not trigger any warnings, allowing the attacker to drain the contract over multiple deposit and withdrawal transactions. The contract checked the maturity only once, but the hacker had completed the requirement by staking 30 days ago.
The result of the exploit was a haul of 125 ETH, which was mixed through Tornado Cash. The attacker spent $40K on Ethereum gas for the fastest possible swaps, briefly becoming the biggest gas user on the chain.
Vestra DAO has not issued the specifics of the attack and claimed user funds remained unaffected. However, the contract was drained of its VSTR tokens, clearly taking value from the project.
VSTR tokens hacked a month after trading launch
Vestra DAO is a relatively new project, with VSTR tokens trading since November 6. The token is only available in a Uniswap V3 trading pair.
The DAO ran its very first proposal on October 14, and it was tied to selling 1B tokens from the project’s treasury. The VSTR token still has only 1,643 holders, adding to the limited effect of the hack.
The token immediately crashed after the attack, from $0.013 to $0.005. Later, VSTR inched up to $0.009 but remains extremely illiquid and volatile. In addition to the direct loss, VSTR also wiped out half its market capitalization.
At this point, VSTR may be even riskier than early-stage meme tokens. The biggest risk is that VSTR tokens only have $1.9M in liquidity, which is not locked and can be further exploited via a rug pull.
The other risk for the project is that its contracts invoke functions from external smart contracts, leading to a general warning on CoinGecko. Vestra DAO claimed it had blacklisted its staking contract, but it is unknown if similar vulnerabilities exist for other smart contracts.
Even for audited projects, smart contracts may not always be entirely secure and may hold exploit possibilities. In the case of the VestraDAO, the early-stage project may recover and boost its reliability.
Vestra DAO appealed to the Turkish crypto community, one of the most active groups of early adopters. The VSTR token even had a conversion price into Turkish lira.
Land a High-Paying Web3 Job in 90 Days: The Ultimate Roadmap
推荐文章
