Team Finance has become the latest DeFi protocol exploited in October. The team confirmed the incident on Thursday, noting that $14.5 million in crypto tokens has been drained by hackers through a bug in its v2 to v3 migration function. However, blockchain security firm PeckShield claims the losses are higher.
Team Finance hacked for $15 million
In its report, PeckShield explained that the attackers exploited the migrate function to transfer real liquidity from Uniswap V2 to V3 with skewed prices. The manipulated price of assets enabled the hackers to receive a significant profit from the transaction. The statement precisely reads:
“The protocol has a flawed migrate() that is exploited to transfer real UniswapV2 liquidity to an attacker-controlled new V3 pair with skewed price, resulting in huge leftover as the refund for profit. Also, the authorized sender check is bypassed by locking any tokens.”
Four tokens’ trading pairs were affected in the attack to the tune of $15.8 million, according to the security platform. CAW (A Hunters Dream) saw the largest loss at $11.5 million, followed by Dejitaru Tsuka at $1.7 million, Kondux at $0.7 million, and Feg at $1.9 million. Team Finance is yet to confirm a fix for the vulnerability.
Crypto hacks in October are alarming
However, all activities of the protocol have been temporarily suspended “until we are certain this exploit has been remedied,” the team tweeted, adding that all the funds managed by Team Finance are not at risk. Team Finance manages about $3 billion in assets, per the Twitter description.
The number of protocols hacked in October is unprecedented and alarming. Earlier this month, Chainalysis reported that October was the worst month in crypto hacking, with about 11 protocols hacked for $718 million in total. This growing rate of attacks put 2022 on pace to become the worst year in history.
Team Finance rebuilds trust after devastating $15 million hack
Eight months after the incident, Team Finance reached out to Cryptopolitan, providing an update on how it has redeemed users affected by the hack and made changes to mitigate the recurrence.
A representative told Cryptopolitan in June 2023 that all affected users have received the vast majority of their funds back. The team also replaced the previous auditor with Certik, engaged with multiple audit firms, enhanced internal software development QA processes, beefed up the backend system architecture, and implemented system-wide, third-party software security enhancements.
“As always, our customers remain our number one priority,” the representative said. “Team Finance has stayed secure after the incident and remains a Web3 software leader in the token management space (token generation, locks, liquidity locks, vesting, and much more).”
