It is rare for thieves to leave their loot behind when escaping, but a hacker did precisely that after stealing more than $1 million from DeFi protocol Zeed.
The hacker exploited a vulnerability in the DeFi project to steal over $1 million and then locked it in a self-destruct contract, making it impossible for anyone to retrieve the stolen funds.
Zeed loses $1M
Blockchain security firm, BlockSec first detected the attack on the Zeed protocol and shared it around 8 PM UTC on April 21.
1/ What if rewards can be tripled?
— BlockSec (@BlockSecTeam) April 21, 2022
The hacker took advantage of the reward distribution mechanism on the DeFi lending protocol, which describes itself as a “decentralized financial integrated ecosystem.”
The vulnerability allowed the hacker to mint extra tokens and sell them, thereby crashing the price of the token to zero and netting around $1 million from the theft.
The hacker then sent the stolen crypto to an “attack contract” — a smart contract capable of executing the found exploit quickly and automatically.
For a reason known only to the hacker, the attack contract was to self-destruct before he moved the stolen funds. Since the contract is irreversible, it is impossible to recover the funds.
A blockchain scanner revealed that the attack contract contained $1,041,237.57 worth of BSC-USD. Its successful destruction happened at 7:15 AM UTC on April 21.
As of press time, the Zeed protocol has yet to release a comment or update about the hack.
The prevalence of exploits and hacks in crypto continues to be a source of concern as hackers steadily improve their methods. In the first quarter of the year alone, over $1 billion worth of funds were stolen, including more than $600 million Axie Infinity exploit.
Users appear to be at the receiving end of these thefts since not every project offers refunds. Beyond that, an exploit could affect the project roadmap in the long term as it erodes investors’ confidence in the project.