Avalanche flash loan exploit sees $371K in USDC stolen

cointelegraph.com:

Avalanche-based lending protocol Nereus Finance has been the victim of a crafty hack that saw a user net $371,000 worth of USD Coin (USDC) using a smart contract exploit.

Blockchain cybersecurity firm CertiK was one of the first to detect the exploit on Sept. 6, indicating that the attack impacted liquidity pools on Nereus relating to decentralized exchange Trader Joe and automated market maker Curve Finance.

CertiK also suggested that underlying protocols themselves were impacted, however, Curve Finance responded via Twitter on Sept. 7, stating “maybe you meant ‘assets impacted,’ not ‘protocols impacted’. Only @nereusfinance and its assets seem impacted.”

On Sept. 7, Nereus Finance released a detailed post-mortem of the incident explaining an “exploiter” was able to deploy a custom smart contract that utilized a $51 million flash loan from Aave to artificially manipulate the AVAX/USDC Trader Joe LP (JLP) pool price for a single block.

We've published a post-mortem on the NXUSD incident from yesterday. https://t.co/ADhu6PagP2 Thanks @peckshield @CertiK

As a result, the anonymous hacker was able to mint 998,000 worth of Nereus' native token NXUSD against $508,000 worth of collateral. They then swapped this capital into different assets via various liquidity pools and managed to walk away with a net profit of $371,406 once the flash loan was returned. 

The incident ended with to the creation of $500,000 of NXUSD “bad debt” in the NXUSD protocol.

The Nereus team says it was quick to remedy the situation; after consulting security experts, developing a mitigation plan, and notifying law enforcement, they liquidated and paused the exploited JLP market.

The bad debt was reportedly paid off using NXUSD from the team’s treasury.

Accor