• Exploiter used a “panic” function to remove $1 million worth of users’ funds without their permission from decentralized finance (DeFi) aggregator Chibi Finance.
• CertiK produced a detailed report after investigating the incident which combined with blockchain data can shed light on how the attack occurred and what users can do to protect themselves against similar attacks or scams in the future.
• Investors lost over $1 million worth of crypto in the attack or scam.
Chibi Finance $1M Alleged Rug Pull: How it Happened
On June 26, decentralized finance (DeFi) aggregator Chibi Finance was exploited by its own deployer account, and $1 million worth of cryptocurrency was drained from its contracts in an apparent rug pull or exit scam. The protocol’s official user interface disappeared, producing a 404 error, and all social media for the app was taken down. After the funds were drained, they were swapped for Wrapped Ether (WETH) and bridged to Ethereum, where they were afterward sent to Tornado Cash by the attacker. The price of the Chibi Finance (CHIBI) governance token fell by over 90% as the news broke.
How Was This Possible?
Rug pulls shouldn’t be possible in DeFi since these apps don’t run on centralized infrastructure; so it might be useful to analyze how this alleged scam was pulled off. CertiK has produced a detailed report after investigating the incident which combined with blockchain data can shed light on how the attack occurred and what users can do to protect themselves against similar attacks or scams in the future.
What is Chibi Finance?
Before its user interface went offline, Chibi described itself as “the most popular yield aggregator on Arbitrum” allowing users to gain yield from across its ecosystem. On June 21, Chibi announced it had achieved $500,000 in total value locked (TVL), a measurement of the value of crypto held in an app’s contracts; shortly after this event it seems to have reached its goal before tokens were drained from its contracts.
The Attack Exploited 8 Different Contracts
The attack exploited a loophole in eight different contracts used within Chibi Finance protocol which had been forked from other projects and were not audited properly before deployment; these included critical contracts such as Flash Loan Factory contract, Harvest Factory contract and Governance Factory contract etc., each containing admin privileges that allowed transfer of funds outside smart contracts without authorization checks or security measures enabled earlier than required when transactions are made using admin privileges. This implies that any malicious actor could have abused this loophole even if he/she did not have access to security keys associated with these smart contracts once deployed on-chain i .e anyone who had access to deployer account credentials could exploit this loophole without needing keys associated with these smart contracts thereby allowing unauthorised fund transfers out of them without anyone’s knowledge until too late..
Protecting Yourself Against Rug Pulls
Users should always practice caution when investing into DeFi protocols especially those that haven’t gone through thorough third party audit process yet because lack of proper auditing may open doors for malicious actors who could exploit loopholes present within codebase even if they don’t have access key associated with those smart contract deployments.. Additionally one should always diversify investments between different protocols rather than concentrating all their capital into single platform so that losses due risk factors such as rug pulls are minimized significantly