On June 26, decentralized finance (DeFi) aggregator Chibi Finance was exploited by its own deployer account, and $1 million worth of cryptocurrency was drained from its contracts in an apparent rug pull or exit scam. The protocol’s official user interface disappeared, producing a 404 error, and all social media for the app was taken down. After the funds were drained, they were swapped for Wrapped Ether (WETH) and bridged to Ethereum, where they were afterward sent to Tornado Cash by the attacker.
The price of the Chibi Finance (CHIBI) governance token fell by over 90% as the news broke.
But “rug pulls” shouldn’t be possible in DeFi. After all, these apps, by definition, don’t run on centralized infrastructure. So the app’s creator shouldn’t be able to run off with everyone’s crypto or cash.
For this reason, it might be useful to analyze how the alleged scam was pulled off.
CertiK has produced a detailed report after investigating the incident. When combined with blockchain data, this report can shed light on how the attack occurred and what users can do to protect themselves against similar attacks or scams in the future.
The Chibi Finance app
Before its user interface went offline, Chibi described itself as “the most popular yield aggregator on Arbitrum.” It claimed to allow users to gain yield from across the Arbitrum ecosystem.
According to CertiK, the DeFi aggregator has been growing in total value locked (TVL) — a measurement of the value of crypto held in an app’s contracts — since it launched in April. On June 21, Chibi announced it had achieved $500,000 in TVL. At the time, the team stated a goal to reach $1 million.
On June 26, the app was listed on CoinGecko for the first time, giving it greater exposure. It seems to have reached its $1 million goal shortly after this event, right before the tokens were drained from its contracts. As a result, investors lost over $1 million worth of crypto in the attack or scam.
Chibi Finance contracts
The attack exploited a loophole in eight different contracts used in the Chibi Finance protocol. These contracts were forked from other projects and were not unique to Chibi. For example, one of them was StrategyAave.sol at Arbitrum address 0x45E8a9BA6Fcd612a30ae186F3Cc93d78Be3E7d8d, which has also been deployed to several other addresses on Abitrum, Ethereum, the BNB Smart Chain and other networks.
Another example is the StrategySushiSwap.sol contract…
Click Here to Read the Full Original Article at Cointelegraph.com News…