Team Finance, a web3 infrastructure platform enabling businesses to secure tokens, suffered a hack that resulted in the loss of assets worth $14.5 million on Oct. 27, the firm tweeted.
We have just been alerted of an exploit on Team Finance.
We are currently unsure of the details.
We urge the exploiter to get in contact with us for a bounty payment
We are working to analyze and remedy the situation at this very moment.
More details to follow
— Team Finance (@TeamFinance_) October 27, 2022
Blockchain analysis and security firm PeckShield estimated that the hacker made off with $15.8 million worth of cryptocurrencies.
Team Finance said in a Twitter thread that the attacker exploited the flawed V2 to V3 migration feature, which had previously been audited.
The hacker used 1.76 Ethereum (ETH) tokens withdrawn from FixedFloat to launch the attack. The attacker has kept the entire loot parked in a single wallet. The total loss includes 880 ETH and 6.4 million DAI tokens, among others, according to PeckShield.
2/ The protocol has a flawed migrate() that is exploited to transfer real UniswapV2 liquidity to an attacker-controlled new V3 pair with skewed price, resulting in huge leftover as the refund for profit. Also, the authorized sender check is bypassed by locking any tokens. pic.twitter.com/G2QVNU7DgU
— PeckShield Inc. (@peckshield) October 27, 2022
Team Finance, a product offering of TrustSwap, assured users that the remaining funds on the platform are no longer at risk from the same hacker.
However, the platform, which is “unsure of the details” of the attack, has suspended all activities until all vulnerabilities are fixed. Team Finance has also urged the hacker to contact the team for a bounty payment.
The total value locked (TVL) on Team Finance plunged from $147.03 million to $128.39 million after the attack, according to DeFiLlama data.