As stated by the exchange, $220,000 was stolen from QuickSwap, a decentralized exchange platform running on the Polygon chain.
As per QuickSwap, Market XYZ was the sole platform affected by the attack. PeckShield had first connected the hack to Qi DAO, the company behind the miMatic stablecoin. Subsequently, the security and analytics company blamed a QuickSwap vulnerability for the hack.
⚠️QuickSwap Lend is closing⚠️
🔗$220k was exploited in a flash loans attack due to a vulnerability with the Curve Oracle, which @marketxyz was using
☣ Only the Market XYZ lending market was compromised. QuickSwap's contracts are unaffected
— QuickSwap 👨🌾 V3 Auto-Managed Farms (@QuickswapDEX) October 24, 2022
QuickSwap lend is about to close when the DEX subsequently verified that $220,000 had already been misused through flash loans. On the morning of Monday, an upgrade had been planned, but consumers were forced to wait for information on the problem for about 12 hours.
QuickSwap took to Twitter to announce the following: “We are encouraging users with funds deposited in Market xyz’s open markets on QuickSwap to withdraw them now, as we are in the process of closing them down.”
Referring to the exploit, PeckShield noted that: “It is a price manipulation issue. The miMATIC market uses CurvePoolOracle for price feed, which is manipulated to borrow funds from the market.”
It is a price manipulation issue. The miMATIC market
uses CurvePoolOracle for price feed, which is manipulated to borrow funds from the market https://t.co/kDv10Zp2nz @market_xyz @QuickswapDEX @QiDaoProtocol https://t.co/muXdhubeJD pic.twitter.com/l5uWb5ynQQ
— PeckShield Inc. (@peckshield) October 24, 2022
Based on PeckShield’s assessment, it seems the hack exploited price manipulation to borrow money at a premium. After returning the assets to Ethereum (ETH), the exploiter transferred them to Tornado Cash, a mixing provider that was the target of US Treasury penalties a couple of months back. As per QuickSwap, no user holdings were stolen.