Illuvium Takes Preventive Measures to Protect Staked Funds After Discovering Vulnerability

ChainPlay

•

2 years ago

Share :

Illuvium, a multibillion-dollar blockchain gaming company, has drained all the funds from a Uniswap pool in an attempt to prevent an attacker from cashing out after uncovering a hole in its staking platform. The dramatic action is a potentially new measure a project has taken to offset the damage that the hacks, exploits, and attacks cause. These kinds of hacks and attacks have long plagued the decentralized finance (DeFi) movement. Unfortunately, they now seem to be spreading to the "GameFi" movement as well. While the team had uncovered the vulnerability, they initially stated that "no funds had been hacked". In addition, minting contracts had been temporarily halted. The company made the announcement on Twitter.

We have found a vulnerability in our staking contracts, and as such, the eDAO has put a temporary pause on $sILV minting. The attack vector has been closed, and no funds have been compromised. This is purely a protection mechanism for the DAO. (1/2)

— Illuvium (@illuviumio) January 4, 2022

However, a trail of transactions dating back to November shows a series of addresses with custom contracts consistently depositing a sum of ILV, Illuvium's governance token. The addresses would then withdraw a larger sum of escrowed ILV, or sILV, rewards than the staking program would normally allow before rolling the proceeds to a new address. The company drained The Uniswap V3 sILV / ETH pool in a sequence of massive transactions, starting at 2 p.m. ET on Tuesday, as a result of this preventive step. It even temporarily lowered the price of sILV to $0. "In order to prevent a security issue from being performed, we have had to take the step of rescuing the sILV pool," Co-founder Aaron Warwick said in a message on the project's official Discord channel. On Discord, Warwick mentioned that the team had a "backstop multisig that can mint in extreme circumstances."  The team used a multi-signature wallet, which is an address with certain in-protocol rights that requires a majority of a group of signers to complete transactions, issue tokens, and sell them for ETH, effectively declaring sILV worthless. It's presently unknown how much sILV the attacker was able to convert into ETH before the team was able to completely empty the pool. "As soon as we can receive a snapshot of the genuine owners of sILV, we will reimburse everyone," the team wrote on Discord. Warwick remained tight-lipped about the intentions. Users should not buy into any new liquidity added to the Uniswap pool, according to Warwick. ILV is currently trading at $1,004.33, down.8% for the day. Here’s an update on the exploit by Illuvium Co-founder @KieranWarwick.

An update on the $sILV exploit from @KieranWarwick. Thank you all for your support through this difficult period. pic.twitter.com/lo52lEb9aI

— Illuvium (@illuviumio) January 6, 2022

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt USD-1186073128 ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.