Hacker bungles DeFi exploit: Leaves stolen $1M in contract set to self destruct

A hacker apparently so thrilled by a successful theft left behind over $1 million in a smart contract that was set to destruct, permanently ensuring the crypto could never be moved.

2330 Total views

5 Total shares

Hacker bungles DeFi exploit: Leaves stolen $1M in contract set to self destruct

In a rare comedic bungle among DeFi exploits, an attacker has fumbled their heist at the finish line leaving behind over $1 million in stolen crypto.

Just after 8AM UTC on Thursday April 21st, blockchain security and analytics firm BlockSec shared it had detected an attack on a little known DeFi lending protocol called Zeed, which styles itself a “decentralized financial integrated ecosystem”.

The attacker exploited a vulnerability in the way the protocol distributes rewards, allowing them to mint extra tokens which were then sold, crashing the price to zero, but netting just over $1 million for the exploiter.

Blockchain analytics firm PeckShield noted the stolen crypto was transferred to an “attack contract”, a smart contract which automatically and quickly executes the found exploit.

#PeckShieldAlert It appears that @zeedcommunity suffered an exploit. The exploiter gained ~$1m. The gains currently sit in the attack contract. https://t.co/bSHHGM623Q @peckshield https://t.co/jXVj0oGI8B

— PeckShieldAlert (@PeckShieldAlert) April 21, 2022

However the attacker was apparently so excited by their successful heist that they forgot to transfer over $1 million worth of stolen crypto out of their attack contract before they set it to self-destruct, permanently and irreversibly ensuring the funds can never be moved.

Interesting. The hacker kills the contract, but forgets to transfer the profit. https://t.co/HbS2fiztuc https://t.co/uApZyK8Uym pic.twitter.com/FwpZweNLHU

— PeckShield Inc. (@peckshield) April 21, 2022

Using a blockchain scanner to view the attack contract address shows that $1,041,237.57 worth of BSC-USD Binance-Peg token is forever stuck in the contract and the successful self-destruction of the contract was confirmed at 7:15AM UTC on April 21.

Related: Truth or fiction? Popular former hacker claims to have $7B in BTC

It’s one of the more bizarre turns of events since the Polygon hacker did an “Ask Me Anything” using embedded messages on Ethereum(ETH) transactions after stealing $612 million from the protocol in August 2021. The question and answer session revealed the attacker hacked “for fun” and thought “cross-chain hacking is hot.”

This latest hack is on the smaller end regarding the amount stolen, and other DeFi protocol hacks have seen hundreds of millions siphoned off as with the recent Ronin bridge hack where attackers made off with over $600 million.

Other notable DeFi exploits include the $80 million worth of crypto stolen from Qubit Finance in January where attackers tricked the protocol into believing they had deposited collateral, allowing them to mint an asset representing a bridged crypto.

DeFi marketplace Deus Finance was exploited in March when hackers manipulated the price feed of a pair of stablecoins resulting in the insolvency of user funds, netting the hackers over $3 million.