Avalanche flash loan exploit sees $371K in USDC stolen

The scammer deployed a custom smart contract, leveraging a $51 million flash loan to manipulate the AVAX/USDC Trader Joe LP pool price for a single block.

Avalanche-based lending protocol Nereus Finance has been the victim of a crafty hack that saw a user net $371,000 worth of USD Coin (USDC) using a smart contract exploit.

Blockchain cybersecurity firm CertiK was one of the first to detect the exploit on Sept. 6, indicating that the attack impacted liquidity pools on Nereus relating to decentralized exchange Trader Joe and automated market maker Curve Finance.

CertiK also suggested that underlying protocols themselves were impacted, however, Curve Finance responded via Twitter on Sept. 7, stating “maybe you meant ‘assets impacted,’ not ‘protocols impacted’. Only @nereusfinance and its assets seem impacted.”

On Sept. 7, Nereus Finance released a detailed post-mortem of the incident explaining an “exploiter” was able to deploy a custom smart contract that utilized a $51 million flash loan from Aave to artificially manipulate the AVAX/USDC Trader Joe LP (JLP) pool price for a single block.

We've published a post-mortem on the NXUSD incident from yesterday. https://t.co/ADhu6PagP2
Thanks @peckshield @CertiK

— Nereus Finance (@nereusfinance) September 7, 2022

As a result, the anonymous hacker was able to mint 998,000 worth of Nereus' native token NXUSD against $508,000 worth of collateral. They then swapped this capital into different assets via various liquidity pools and managed to walk away with a net profit of $371,406 once the flash loan was returned. 

The incident ended with to the creation of $500,000 of NXUSD “bad debt” in the NXUSD protocol.

The Nereus team says it was quick to remedy the situation; after consulting security experts, developing a mitigation plan, and notifying law enforcement, they liquidated and paused the exploited JLP market.

The bad debt was reportedly paid off using NXUSD from the team’s treasury.

According to Nereus, the exploit resulted from a “missed step” in the price calculation, resulting in the opportunity to be exploited. However, it stressed that “no users funds are at risk, and NXUSD continues to be over collateralized” and the “Lending and Borrowing protocol was not affected by this exploit.”

Nereus is also confident the same exploit won’t be possible a second time, as the team will be  amending its "audit and security practices in order to ensure these types of events do not occur in the future," noting:

While this exploit is a bad incident — it’s not uncommon for protocols to face these types of battle tests.

As of this writing, the Nereus team is trying to identify the hacker and track the funds and has offered a 20% White Hat reward for the return of the funds, no questions asked.

Despite this recent flash loan exploit and several other notable incidents throughout the year, CertiK's August 2022 Monthly Skynet Alerts Report, released on Sept. 2, claims there has been a notable decrease in these types of attacks.

Compared to the previous month, August saw a drop of 95% in flash loan attacks, only resulting in a total loss of $745,244, the second lowest this year.

February still has the lowest recorded loss from flash loan exploits with only $200,000.