The Visor DeFi Smart Contract Exploit
On December 21st, 2021, 02:29:11 PM UTC, a malevolent contract stole 8,812,958 VISR tokens from Visor Finance’s staking contract.
Hackers used the IVisor delegateTransferERC20 interface to generate the exploit. The hackers also used the withdrawal function of the staking contract to call for the desired VISR amount. As a result, reliance on an external IVisor delegateTransferERC20 implementation by the caller allowed the exploit to succeed.
Bugs in the Visor decentralized system opened a door for an attacker to get away with crypto tokens. A full post-mortem investigation has not yet been conducted, but it is believed that the hacker exploited the vulnerability to assume control of the rewards contract. As a result, they could create extra VISR tokens.
Reentrancy bugs can be deadly in DEXs since they allow an attacker to create an infinite number of tokens. The Visor team announced the breach shortly after it occurred, stating that it had discovered a bug in its VISR staking agreement.
The team also stated that no positions or hypervisors were at risk. The assault primarily affects stakers and token holders since it has dropped dramatically since the attack. One VISR is valued at just $0.04 right now, having lost 95% of its value.
The Visor team has stated that it will establish a migration date based on a before-the-hack snapshot to make up for it. The strategy of token migrations is a common way to counter DeFi hacks. They function by allowing token holders to exchange an equivalent quantity of new tokens for their existing holdings.
Users will redeem based on the total amount of VISR they had before the hack occurred. Although Visor has gained popularity since its debut, its financial journey hasn’t been without hiccups. It’s been breached several times this year. However, it characterized the most recent incident in November as a “Uniswap V3 arbitrage.”
Surprisingly, the protocol has been audited by CertiK, a security company that has previously missed other DeFi flaws; however, after the attack got an ongoing audit from Quantstamp.
According to Etherscan data, the attacker has already exchanged most of their VISR tokens for ETH via Uniswap. In addition, they’ve started funneling cash through Tornado.cash, a bundler for preserving Ethereum transaction history.
However, because of the liquidity issue, their investment will ultimately result in significantly less than $8.2 million worth of notional value.