Vestra DAO (VSTR) 智能trac在推出不到一個月後就被利用
Vestra DAO 似乎已被黑客攻擊。鏈上分析師注意到可疑活動,其中 VSTR 代幣(該協議的原生 ERC-20 代幣)從可用的智能trac中轉移並立即發送到 Tornado 混合器。
截至報告發布時,至少價值 48 萬美元的代幣已被盜。雖然最初的攻擊相對較小,但其他參與者仍然面臨風險。鏈上研究員 Chaofan Shou 首先注意到了該漏洞,並建議所有用戶撤回權限。
Vestra DAO @Vestra_DAO剛剛遭到黑客攻擊,並且仍在繼續。已經損失 48 萬美元,未來還會損失更多。立即撤回您的股份並提取流動性。 pic.twitter.com/0b9i1lhrEw
—手超凡 (@shoucccc) 2024 年 12 月 4 日
The exploit has affected the VSTR token staking contract, with the funds immediately liquidated and sent to the Tornado mixer. For VSTR, more than 65% of the tokens are locked for governance, with over 34B tokens.
The affected smart contract holds the remaining 755M VSTR tokens, making up 1.51% of the total supply. Despite the attack against a relatively small token, the subsequent market crash erased even more value from the project. For now, Vestra DAO may have enough VSTR in its reserves to compensate users, while trying to repair its reputational damage.
Exploiter waited for a month before exploiting a contract logic flaw
The exploiter sold in a rush, paying 0.51 ETH to Beaverbuild for priority inclusion in a block. Vestra DAO’s locked staking contract was affected, directly sending out VSTR tokens.
For hours, the exploiter sent out spam transactions for 520K or 500K VSTR to the contract, in the end, trading $480K in total. The attack exploited a logic flaw in the contract, which allowed the hacker to receive 20,000 VSTR after each transaction.
On-chain analysis showed that the attacker first staked VSTR to the contract 30 days ago, lurking and studying the contract’s flaw. Then, the automated series of transactions started extracting VSTR with each iteration of staking and unstaking.
The data checks on every deposit and withdrawal did not trigger any warnings, allowing the attacker to drain the contract over multiple deposit and withdrawal transactions. The contract checked the maturity only once, but the hacker had completed the requirement by staking 30 days ago.
The result of the exploit was a haul of 125 ETH, which was mixed through Tornado Cash. The attacker spent $40K on Ethereum gas for the fastest possible swaps, briefly becoming the biggest gas user on the chain.
Vestra DAO has not issued the specifics of the attack and claimed user funds remained unaffected. However, the contract was drained of its VSTR tokens, clearly taking value from the project.
VSTR tokens hacked a month after trading launch
Vestra DAO is a relatively new project, with VSTR tokens trading since November 6. The token is only available in a Uniswap V3 trading pair.
The DAO ran its very first proposal on October 14, and it was tied to selling 1B tokens from the project’s treasury. The VSTR token still has only 1,643 holders, adding to the limited effect of the hack.
The token immediately crashed after the attack, from $0.013 to $0.005. Later, VSTR inched up to $0.009 but remains extremely illiquid and volatile. In addition to the direct loss, VSTR also wiped out half its market capitalization.
At this point, VSTR may be even riskier than early-stage meme tokens. The biggest risk is that VSTR tokens only have $1.9M in liquidity, which is not locked and can be further exploited via a rug pull.
The other risk for the project is that its contracts invoke functions from external smart contracts, leading to a general warning on CoinGecko. Vestra DAO claimed it had blacklisted its staking contract, but it is unknown if similar vulnerabilities exist for other smart contracts.
Even for audited projects, smart contracts may not always be entirely secure and may hold exploit possibilities. In the case of the VestraDAO, the early-stage project may recover and boost its reliability.
Vestra DAO appealed to the Turkish crypto community, one of the most active groups of early adopters. The VSTR token even had a conversion price into Turkish lira.
Land a High-Paying Web3 Job in 90 Days: The Ultimate Roadmap
推薦文章
