An attacker has fumbled their heist at the finish line, leaving behind over $1 million in stolen crypto in a rare comedic blunder among DeFi attacks.
The attacker took advantage of a vulnerability in the way the protocol distributes rewards, allowing them to mint extra tokens that were subsequently sold, bringing the price down to zero but netting the exploiter little over $1 million.
Hacker dooms own operation
On Thursday, Apr. 21st, just after 8 a.m. UTC, blockchain security and analytics firm BlockSec announced that it had discovered an attack on Zeed, a little-known DeFi lending protocol that bills itself as a “decentralised financial integrated ecosystem.”
The stolen crypto was transferred to an “attack contract,” a smart contract that automatically and quickly executes the discovered exploit, according to blockchain analytics firm PeckShield.
“It appears that @zeedcommunity suffered an exploit. The exploiter gained ~$1m. The gains currently sit in the attack contract,” PeckShield alerted on Twitter.
However, the attacker was apparently so thrilled by the successful heist that they forgot to transfer over $1 million in stolen cryptocurrency out of their attack contract before setting it to self-destruct, ensuring the cash could never be moved.
Using a blockchain scanner to inspect the attack contract address reveals that $1,041,237.57 in BSC-USD Binance-Peg token is permanently stuck in the contract, and the contract’s successful self-destruction was confirmed at 7:15 a.m. UTC on Apr. 21.
DeFi exploits increasingly becoming widespread
It’s one of the strangest developments since the Polygon hacker used embedded messages on Ethereum (ETH) transactions to do a “Ask Me Anything” after stealing $612 million from the protocol in August 2021. The attacker hacked “for fun” and thought “cross-chain hacking is hot,” according to the question and answer session.
In contrast, other DeFi protocol hacks have resulted in hundreds of millions of dollars being stolen, such as the recent Ronin bridge hack, which saw attackers make off with over $600 million.