Decentralized finance (DeFi) protocol Revest Finance said this weekend that $2 million was stolen through a vulnerability on their platform.
Early on Sunday morning, the company announced on Twitter that its Ethereum contracts suffered an exploit allowing hackers to steal BLOCKS, LYXe, ECO, and RENA tokens.
According to blockchain security company PeckShield, the hacker stole 7,699,999 ECO (about $100,000), 579 LYXe ($10,000), 714,999,999 BLOCKS ($1.7 million), and 352,835 RENA ($120,000). The BLOCKS DAO development team was the first to notify Revest of the incident.
“On March 27th, between 1:41 AM UTC and 2:22 AM UTC, roughly $2M worth of tokens were stolen from the Revest Protocol Token Vault. The first of these thefts were of 352,836 RenaSwap tokens worth $120,000 at the time of theft — these tokens remain in the hacker’s wallet, the only such tokens that have not been cashed out,” Revest CEO Rob Montgomery said in a post on Medium.
“Following this first attack, the hacker moved on to stealing 715,000,000 BLOCKS DAO tokens, the illegal sale of which resulted in $1.7M of stolen Ether for the hacker. For BLOCKS DAO, this resulted in the reduction of their price by at least 76% and the theft of over 500 Ethereum from their Liquidity Pool. The hacker finally targeted EcoFi with the theft of 7,700,000 ECO tokens, resulting in the theft of $100,000. Smaller amounts of ConstitutionDAO and LUKSO were also stolen during this attack, netting roughly an additional $10-$12K.”
The hacker then swapped all of the tokens besides RENA for Ether and transferred it to crypto-anonymizer TornadoCash, which makes the transactions nearly impossible to trace.
Montgomery said Revest will not be able to recover the funds from the hackers and do not have the money to cover the losses suffered by victims using their platform. They also do not have DeFi insurance, according to Montgomery.
The company pledged to “make things as right as they can possibly be made” but said they “do not yet know what form these actions will take and must speak to the development teams of each impacted protocol on a case-by-case basis to best determine a path forwards for all impacted individuals.”
“This will be developed in the coming days, and we hope to have more specifics to share with you in the near future. Rest assured that you and your pain are not being overlooked, and that you will forever have a place in our community. We will assist in whatever capacity we are able,” Montgomery added.
On Twitter, Revest said the security patch needed to prevent any future breaches is currently undergoing peer review and is expected to be deployed as soon as possible. The protocol will be brought back online and the unpausing of the $RVST token will be scheduled once the patch is in place, according to Revest.
They also plan to hire other audit firms to examine their codebase. Montgomery called it a “highly sophisticated attack on a vulnerability that went unnoticed” during their Solidity.Finance audit “as well as the multiple peer-reviews to which we subjected our code.”
PeckShield said the hack was made possible due to “missed reentrancy protection for the key functions of Revest.”