Zabu Finance, a DeFi platform built on the Avalanche blockchain, has apparently been hacked. Zabu confirmed that the attacker successfully pulled out 4.5 billion tokens in Zabu Farm Contract and stole around $600K.
Zabu Finance publicized the vulnerability by appealing to Avalanche and popular Avalanche-hosted decentralized exchanges like Pangolin and Trader Joe for assistance:
“Zabu Team Wallet has not sold a single Zabu. We’re under an exploit, possibly from Spore Pool. We’re investigating the exploit. Need help Pangolin, Trader Joe, Avalanche.”
Zabu discovered the assets were stolen from a pool of Spore tokens, which included 402.9 WETH, 23,157 WAVAX, 21,501 PNG, 106,848 AVE, 361,267 USDT, and 23,958.93 JOE, totalling $3.2 million at the time of the exploit, according to the blockchain explorer.
The attacker “successfully pulled out 4.5 billion Zabu tokens from Zabu Farm Contract, dumped all to Pangolin LPs and Trader Joe LPs of Zabu, stole roughly $600K,” according to Zabu.
Investors were encouraged to withdraw their holdings as soon as the exploit was discovered by Zabu and Yield Yak, an Avalanche-hosted DeFi tool.
Zabu plans to repay tokens to investors based on their balances before and after the attack as part of its remediation:
“The process of Snapshot might take time as we need to calculate balances of Zabu Holders, Farm Stakers (for Zabu-related Pools) and AutoFarm Stakers (for Zabu-related Pools). We might need help Markr, DeBank and Avalanche.”
The remaining 93.12 million Zabu tokens, valued $360,000, were also burnt.
Other DeFi hack
Another DeFi initiative, xToken, reported a cyberattack on August 30 that resulted in a loss of roughly $4.5 million. According to Cointelegraph, the hacker went through an intricate token swap process that included getting a flash loan for 25,000 ETH (approximately $81 million) from the dYdX decentralized exchange to carry out the attack.
Following this, xToken discontinued the xSNX product, citing “large surface area for vulnerabilities.”
