In a rare comedic bungle among decentralized finance (DeFi) exploits, an attacker has fumbled their heist at the finish line leaving behind over $1 million in stolen crypto.
Just after 8:00 am UTC on Thursday, blockchain security and analytics firm BlockSec shared it had detected an attack on a little-known DeFi lending protocol called Zeed, which styles itself a “decentralized financial integrated ecosystem.”
The attacker exploited a vulnerability in the way the protocol distributes rewards, allowing them to mint extra tokens, which were then sold, crashing the price to zero, but netting just over $1 million for the exploiter.
Blockchain analytics firm PeckShield noted the stolen crypto was transferred to an “attack contract,” a smart contract that automatically and quickly executes the found exploit.
#PeckShieldAlert It appears that @zeedcommunity suffered an exploit. The exploiter gained ~$1m. The gains currently sit in the attack contract. https://t.co/bSHHGM623Q @peckshield https://t.co/jXVj0oGI8B
— PeckShieldAlert (@PeckShieldAlert) April 21, 2022
However, the attacker was apparently so excited by the successful heist that they forgot to transfer over $1 million worth of stolen crypto out of their attack contract before they set it to self-destruct, permanently and irreversibly ensuring the funds can never be moved.
Interesting. The hacker kills the contract, but forgets to transfer the profit. https://t.co/HbS2fiztuc https://t.co/uApZyK8Uym pic.twitter.com/FwpZweNLHU
— PeckShield Inc. (@peckshield) April 21, 2022
Using a blockchain scanner to view the attack contract address shows that $1,041,237.57 worth of BSC-USD Binance-Peg token is forever stuck in the contract. The successful self-destruction of the contract was confirmed at 7:15 am UTC on Thursday.
Related: Truth or fiction? Popular former hacker claims to have $7B in BTC
It’s one of the more bizarre turns of events since the Polygon hacker did an Ask Me Anything using embedded messages on Ether (ETH) transactions after stealing $612 million from the protocol in August 2021. The question and answer session revealed the attacker hacked “for fun” and thought “cross-chain hacking is hot.”
This latest hack is on the smaller end regarding the amount stolen, and other DeFi protocol hacks have seen hundreds of millions siphoned off, as with the recent Ronin bridge hack where attackers made off with over $600 million.
Other notable DeFi exploits include the $80 million worth of crypto stolen from Qubit Finance in January, where attackers tricked the protocol into believing they had deposited collateral, allowing them to mint an asset representing bridged crypto.
DeFi marketplace Deus Finance was exploited in March when hackers manipulated the price feed of a pair of stablecoins resulting in the insolvency of user funds, netting the hackers over $3 million.