Hacking of Avalanche’s lending protocol Nereus Finance resulted in $371K USD Coin (USDC), being stolen. A custom smart contract was used by the hacker to take advantage of Aave’s $51 million flash loans.
CertiK was a blockchain cybersecurity company that detected the hack in September 6. CertiK, a blockchain cybersecurity firm, stated that the exploit affected liquidity pools related to the automated market maker Curve Finance and decentralized exchange Joe.
But Curve Finance responded on September 7 arguing that maybe CertiK was referring to ‘assets impacted’ rather than protocols impacted since only Nereus Finance and its assets seemed affected by the exploit.
The exploited are now post-mortem
Nereus Finance issued a comprehensive report on September 7. post-mortem of the exploit According to the hacker, he was able deploy a custom smart-contract targeting a $51million flash loan from Aave in order to manipulate the price AVAX/USDC Trader Joe LP for a single Block.
Consequently, the hacker was able to mint 998,000 NXUSD, Nereus’ native token, using collateral worth $508,000. After the flash loan was returned, the hacker converted the NXUSD minted into other assets through multiple liquidity pools to make a profit of $371 406
While the hacker made a profit, the exploit created $508,000 worth of NXUSD ‘bad debt.’
Nereus however was quick to react by devising a mitigation strategy, notifying law enforcement and then liquidating the JLP pool. The NXUSD bad debt was paid off using the protocol’s treasury.
Nereus also stated that an identical exploit will not become possible in the future, as the protocol will modify its audit and security procedures. Nereus noted:
“While this exploit is a bad incident — it’s not uncommon for protocols to face these types of battle tests.”
The Nereus team is still trying to find the hacker using funds tracking. It offered a 20% White Hat reward without any questions for the return funds.