Aftermath Finance reports exploit affecting only perpetual futures

Aftermath Finance is the latest decentralized protocol to be exploited, with multiple outgoing transactions in USDC. The team announced that the hack only affected the perpetual futures market. 

Aftermath Finance, a decentralized trading and liquid staking platform on Sui, was the latest DeFi protocol to be exploited. According to the team, only perpetual futures activities were affected. 

The team announced an ongoing investigation, alongside crypto security experts. The protocol has been paused to minimize impact on available funds. Aftermath Protocol still processes $2.33M in daily trading volumes, with a 36% spike in the past day, coinciding with the exploit. The protocol mostly trades staked SUI and SUI against USDC, allowing the attacker to get hold of stablecoin rewards.

Aftermath Finance is a relatively small DeFi protocol, with just $6.7M in value locked. Based on initial estimates, the hack took away $1.14M in a series of 50K USDC transactions.

Aftermath Finance announced it is currently working on a plan to compensate for the losses. Although USDC is freezable, usually Circle does not take action without a court order, and has not worked to intercept the fund. Protocols where the attacker swapped or traded the tokens also did not intercept the transactions.

The entire attack took 36 minutes, and the hacker completed 11 transactions, according to initial estimates by Blockaid. 

The platform is the third minor Web3 app to be hacked in the past week, following ZetaChain and Syndicate. Another Sui-based protocol, Scallop, was also hit by a flash loan attack in the past week. Sui has been presented as a chain relatively safe from hacks, but several attacks happened in the span of a few months. 

Aftermath Finance was exposed through its perpetual futures market

According to the team, the hack was based on a vulnerability in the perpetual futures protocol. The attacker gained permission for negative code fees, exploiting the trading reward system. The team announced that all other packages and products remain safe. 

Aftermath Finance claimed its smart contracts were not compromised. The flaw lay with the builder code system. Developers and integrators can earn custom fees on trades routed through their integrations. The protocol tried to incentivize third-party interfaces and tools to expand its reach. 

The attackers abused the feature to receive much higher USDC fees, immediately moving the funds to other addresses. The team admitted it allowed builders to set negative fees, leading to protocol losses. 

Hacker started rotating funds immediately after the exploit

As with previous hacks, the wallet behind the Aftermath exploit started actively moving funds, so far, only limited to Sui. 

The wallet immediately swapped out the tranches of 50K USDC across other decentralized Sui protocols. On-chain tracking shows the wallet was created in advance and funded by a Sui millionaire wallet with a multi-token portfolio, based on Nansen data.

The exploiter fragmented the transactions and moved through several venues to make tracking more difficult. 

Following the initial transfers, the hacker managed a total turnover of $400K. Some of the funds may have reached KuCoin for the final move to stablecoins or for cashing out. The exploit on Sui may make tracking the funds more difficult compared to Ethereum or EVM-compatible chains.