Avacash.Finance exploit: 640 AVAX stolen post mortem.

What happened?

Starting on Dec-08–2021 03:53:22 PM +UTC, an attacker created several smart contracts and executed several transactions in order to steal 500 AVAX from the 100 AVAX Anonymity Pool, and to steal 140 AVAX from the 10 AVAX Anonymity Pool.

  1. Used the flashloan feature to borrow the same amount of the pool denomination (ex. 100 AVAX)
    (Example of the first attack: https://snowtrace.io/address/0x35497a871810cb56b65b093723c21eebeda21572)
  2. While performing the flashloan, the attacker made a deposit of the same amount (ex. 10 AVAX). This made the Flashloan provider pass the security checks (initial balance = final balance)
  3. In a second transaction the attacker made a withdrawal using its secret note of the deposit made in step 2.

How was this possible?

This attack was possible due to a typical action called “reentrancy attack”. Avacash.Finance’s flashloan features where protected by this types of attack using a “reentrancy guard” or “reentrancy lock”. However, the team mistake was not to include this lock/guard on the deposit/withdrawal functions of the anonymity pools because the team did not want to change the original TornadoCash code.

Recovery assets mission.

The attacker was very smart to identify the attack vector. However he/she left a lot of traces, specially while cashing out.

Post-Exploit Compensation.

We believe in Avacash.Finance, and we are committed to continue our mission. Hence, we think that is fair that our affected users are compensated in the best way.
The Avacash.Finance team will create a Compensation program in the next weeks. Please be patient, the date will depend on how the recovery assets mission goes.

Who will be eligible?

Everyone who holds an unspent note of the 10 or 100 AVAX Anonymity Pool is eligible to participate in the compensation program. Be aware that the team is not able to check/verify/know the affected users addresses. The team will program an special smart contract, where you’ll need to sign with a proof made by your note (as for an anonymous withdrawal). Please keep your notes and don’t share them with anyone. The team won’t ask for the notes.

  1. If the recovery assets mission works, we will refund your stolen assets.
  2. Compensate with $CASH tokens (and hence, change a bit the token distribution percentages), if this is the case, this will be announced before the token launching date (before December 20th).
  3. A combination of option 1 and 2.

The Future

Our focus is still the same: to achieve #Privacy, with good #Investments in a #Decentralized way. We are proud of our supportive and strong community and this issue won’t let us down.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Avacash.Finance

Avacash.Finance

Did you know that your entire Avalanche transaction history is public by default? Avacash.Finance invest your assets in DeFi protocols with 100% anonymity!