Visor Finance is the most recent DeFi protocol to be hacked for millions of dollars.
Due to a reentrancy weakness exploited by the hacker, Visor Finance lost 8.8 million VISR tokens as a result of the attack. At the time of the attack, VISR coins were trading at roughly $0.93.
Visor Finace Exploit
A hostile contract stole 8,812,958 VISR tokens from Visor Finance’s staking contract on December 21st, 2021, at 02:29:11 UTC. The exploit was created via the IVisor delegateTransferERC20 interface. The hackers also utilized the staking contract’s withdrawal function to request the desired VISR amount. As a result, the exploit was successful due to the caller’s dependency on an external IVisor delegateTransferERC20 implementation.
An attacker was able to get away with crypto tokens thanks to bugs in the Visor decentralized system. Although a full post-mortem investigation has yet to be completed, it is believed that the hacker took advantage of the weakness to take control of the rewards contract. As a result, they may be able to generate more VISR tokens.
Because reentrancy flaws allow an attacker to manufacture an endless number of tokens, they can be lethal in DEXs. The Visor team revealed the breach shortly after it occurred, claiming that a fault in its VISR staking agreement had been uncovered.
No positions or hypervisors were in jeopardy, according to the team. The attack primarily impacts stakers and token holders, as the number of stakers and token holders has plummeted drastically following the attack. Right now, one VISR is worth only $0.04, having lost 95% of its value.
Compensation for Users
To compensate, the Visor team has said that it will set a migration date based on a snapshot taken prior to the hack. Token migrations are a frequent approach for preventing DeFi hacks. They work by allowing token holders to exchange their existing holdings for an equivalent number of new tokens.
Users will be able to redeem their VISR based on the total amount of VISR they had before the breach. Although Visor has grown in popularity since its launch, it hasn’t been without its financial setbacks. This year, it has been violated multiple times. The most recent incidence, in November, was described as a “Uniswap V3 arbitrage,” according to the report.
Surprisingly, the protocol has been certified by CertiK, a security firm that has previously overlooked other DeFi weaknesses; nevertheless, the protocol is currently being reviewed by Quantstamp as a result of the attack.
According to Etherscan statistics, the attacker has already used Uniswap to convert the majority of their VISR tokens for ETH. In addition, they’ve started sending money through Tornado.cash, an Ethereum transaction history bundler. However, because of the liquidity issue, their investment will end up with a notional value of much less than $8.2 million.
