Avalanche Blockchain Based DeFi Nereus Finance Loses $371K to Hackers

The Avalanche-blockchain based lending platform Nereus Finance was hacked by a user who obtained $371,000 worth of USD Coin (USDC) through a smart contract vulnerability. On September 6, blockchain cybersecurity company CertiK was among the first to notice the breach, noting that the hack affected liquidity pools on Nereus related to decentralized exchange Trader Joe and automated market maker Currexy.

CertiK also stated that underpinning protocols were disrupted; nevertheless, Curve Finance reacted via Twitter on September 7 by remarking, “Perhaps you intended ‘assets impacted,’ not ‘protocols impacted.’ Only @nereusfinance and its holdings seem to be affected.”

An “exploiter” succeeded in establishing a bespoke smart contract that exploited a $51 million flash loan from Aave to fraudulently influence the AVAX/USDC Trader Joe LP (JLP) pool value for a single block, according to a post-mortem published by Nereus Finance on September 7. As a consequence, the hacker succeeded in generating 998 thousand dollars worth of Nereus’ native coin NXUSD versus collateral valued 508,000 dollars. After returning the flash credit, they exchanged this cash for other assets via several liquidity pools and were able to walk out with a net gain of $371,406.

The event resulted in the formation of NXUSD “bad debt” of $500,000 in the NXUSD mechanism. After speaking with security professionals, establishing a mitigation strategy, and contacting law authorities, the Nereus team swiftly liquidated and halted the abused JLP market.

Supposedly, the bad debt was settled utilizing NXUSD from the team’s coffers. As per Nereus, the manipulation was the consequence of a “missed element” in the pricing computation, which allowed for the chance to occur. Nevertheless, it was emphasized that “no user money are at danger and NXUSD remains over-collateralized” and that “the Lending and Borrowing mechanism was not impacted by this issue.”

Nereus is also optimistic that the same loophole will not be feasible in the future, as the group will modify its “audit and security practices to ensure these types of events do not occur in the future,” adding: “While this exploit is a bad incident, it is not uncommon for protocols to face these types of battle tests.”

As of the time of writing, the Nereus team is attempting to track down the hacker and hunt down the cash, and has given a 20% White Hat bounty for the recovery of the monies, without questioning. Notwithstanding the latest flash loan attack and numerous other major events during the year, the August 2022 Monthly Skynet Alerts Report published by CertiK on September 2 indicates a significant decline in these sorts of assaults.

Compared to the preceding month, flash loan breaches decreased by 95% in August, accumulating in a cumulative loss of $745,244, the second lowest amount this year. February still has the least documented loss from activities involving payday loans, at only $200,000.