“Team Finance, a web3 infrastructure platform enabling businesses to secure tokens, suffered a hack that resulted in the loss of assets worth $14.5 million on Oct. 27, the firm tweeted” [Ghosh, M. Team Finance loses $14.5M to smart contract bug exploit. (Accessed October 28, 2022)].
.png)
The exploit occurred through a “Uniswap v2 to v3 migration function on its platform. As told by blockchain security firm PeckShield, the hacker transferred liquidity from Uniswap v2 assets on Team Finance to an attacker-controlled v3 pair with skewed pricing. By locking tokens to the contract, the attacker bypassed existing validation mechanisms and pocketed the huge leftovers as a refund for profit. Uniswap v3 was designed with better efficiency for liquidity providers (LP) than v2 on its decentralized exchange. However, v2 smart contracts are still operational, and users must interact with a migration smart contract to migrate their LP assets from v2 to v3. PeckShield estimated that the initial attack vector required for this interaction cost just 1.76 Ether.” [Sun, Z. Team Finance exploited for $14.5M during protocol migration despite contract audit. (Accessed October 28, 2022)].
.png)
.png)
.png)
.png)
Following Peckshield’s tweet, Team Finance issued the following:
“Team Finance said that the smart contract had been previously audited and urged the hacker to ‘get in contact with us for a bounty payment.’ As a result, developers have temporarily paused all activity on the protocol and claim that all funds on the platform are not at risk of a further exploit” [Sun, supra]. “Team Finance […] assured users that the remaining funds on the platform are no longer at risk from the same hacker” [Ghosh, supra]. And Team Finance reports “[t]he exploiters wallet has been blacklisted on Etherscan, and exchanges have been contacted” [Team Finance. Team Finance Exploit Update. (Accessed October 28, 2022)].
“The attacker has kept the entire loot parked in a single wallet. The total loss includes 880 ETH and 6.4 million DAI tokens, among others, according to PeckShield” [Ghosh, supra].
“Drained assets include USD Coin, CAW, TSUKA and KNDA tokens, as the liquidity pools were ‘moved’ to Uniswap v3. On the decentralized exchange, some of the affected tokens, such as CAW, suffered steep price declines due to the exploit and subsequent liquidity crunch” [Sun, supra].
.png)
The latest hack follows on the heels of this month’s compromised DeFi platform Mango Markets which was drained for $112 million in a price oracle manipulation attack. Mango had commissioned its own audit in September which was handled by a team of security researchers at Neodyme shortly before the trading platform was hit by its exploit five weeks later. Both instances have called into question the security of certain DeFi protocols and the integrity of their audits. Most projects in the industry are based on open-source code, allowing nefarious actors to peer inside a protocol’s back end to pursue potential attack vectors.
[Sinclair, S. DeFi Platform Exploited for $14.5M Despite Security Audits. (Accessed October 28, 2022)].
“Team Finance and its parent company, TrustSwap, is a liquidity provider with Token Generation, Token Locks, and Liquidity Lock services. It also gives Flexible Vesting Schedules to the users. This crypto launchpad claims to have $3 billion secured across 12 blockchains” [Koolplaz. Team Finance suffers an exploit of $14.5M. (Accessed October 28, 2022)].
