Decentralized finance (DeFi) app Steadefi was exploited for at least $334,000 on Aug. 7 in an ongoing attack. The app’s development team said in a social media post that the attack currently “puts all funds at risk." The app’s total value locked has plummeted as a result of the attack, according to data from DefiLlama.
The Steadefi team posted a message to X — formerly Twitter — stating: “NOTICE: Steadefi has been exploited and all funds are currently at risk." The team also confirmed that an on-chain message has been sent to address 0x9cf71F2ff126B9743319B60d2D873F0E508810dc on Ethereum in an attempt to negotiate with the attacker. Blockchain data reveals that a number of large inflows came into this address on the Avalanche chain, beginning at 4:41 pm UTC.
The tokens transferred to the address include 130,429 USD Coin (USDC), 3.39 Bitcoin (BTC), 15 Wrapped Ether (WETH) and 6,184 Avalanche (AVAX). Aside from the WETH, all other tokens were immediately swapped for WETH. The alleged attacker then bridged 184 WETH onto another network through the Synapse bridge.
The address also appears to have performed a similar series of transactions on the Arbitrum network.
Ethereum blockchain data shows that the development team has sent a message to the attacker, offering to let the hacker keep 10% of the allegedly stolen funds.
Related: Curve-Vyper exploit: The whole story so far.
After the Steadefi team confirmed the attack, it posted a follow-up message to X explaining how the attack had occurred. The attacker reportedly stole the private key to the team’s deployer wallet, granting access to perform ownerOnly functions. The exploiter then “went on to take various owner-only actions such as allowing any wallet to be able to borrow any available funds from the lending vaults."
All loanable funds have been drained by the attacker. However, collateral held in vaults and not lent out has not been drained because the app does not contain an ownerOnly function to remove deposits. As a result, users who deposited to the “strategy" vaults may still be able to withdraw at least some of their funds.
On the other hand, the attacker paused farming contracts using an ownerOnly function. Therefore, users who deposited svTokens or ibTokens to farms cannot withdraw, and their funds are essentially stuck inside the app's contracts. According to the post, most holders of these tokens have deposited into the farms and cannot withdraw.
Exploits have been a continuing problem in the DeFi space. On Aug. 8, Estonia-based crypto payment firm CoinsPaid said attackers stole $37 million through a fake job interview. On Aug. 4, the Curve protocol was exploited for $61 million, although the attacker later began returning some of the funds.