Liquidity management decentralized finance (DeFi) protocol Visor Finance is the latest victim of a DeFi hack, with the protocol estimated to have lost USD 8.2m worth of digital assets – and becoming the 7th crypto establishment to get exploited in the last month of the year.
As reported, December has seen an exceptional rise in the number of DeFi hacks and exploits. So far this month, DeFi projects Badger DAO, Bitmart, AscendEX, Vulcan Forged, Grim Finance, and Bent Finance have been exploited for various amounts of cryptocurrencies.
Meanwhile, Visor Finance’s team confirmed the hack in the late hours of December 21, saying that the staking contract had been exploited and that they would reimburse affected users.
“We are aware of an exploit of the vVISR staking contract and are implimenting a migration plan for affected VISR. No positions or hypervisor’s are at risk,” the team said.
In a “post-mortem” medium post, the project detailed that “a malicious contract drained Visor Finance’s staking contract” of over VISR 8.8m tokens, worth well over USD 8m at the time of the hack.
“The attack was made possible by implementing the IVisor delegateTransferERC20 interface and calling the staking contract’s withdraw function with the desired VISR amount,” the team said. “Dependence on arbitrary IVisor delegateTransferERC20 implementation by caller allowed for the attack to take place.”
According to Etherscan transactions, the hacker has already swapped the majority of their VISR tokens for ethereum (ETH) via decentralized exchange Uniswap (UNI). They have also funnelled funds through Tornado Cash, a non-custodial privacy solution built on Ethereum that improves transaction privacy by breaking the on-chain link between source and destination addresses.
However, due to the token’s illiquidity, the hacker has ended up with just around ETH 200 (currently worth USD 812,000), far less than USD 8m. As of 8:23 UTC on Wednesday morning, nearly USD 134,900 is also sitting in the hacker’s wallet, including approximately VISR 1.3m and ETH 15.89.
As part of their future plans, Visor Finance said they aim to launch a new token with a new ticker, as it would be confusing if the ticker stays the same. It said that users will be able to redeem the new token at a ratio of 1:1, adding that they have already begun the process of listing the new token on various registries.
“No one should buy VISR as it will not be redeemable for the new token,” the team said.
Prior to the hack, Uniswap v2 and Uniswap v3 were providing liquidity to the project. “The exact same amount of ETH and tokens will be placed in liquidity positions immediately after the new token and the token migration contract is deployed,” the project said.
Following the attack, as the hacker was swapping VISR, Visor Finance’s native token, the coin tanked. As of now, VISR is down by 96% over the last 24 hours, trading at USD 0.038.
Notably, this is not the first time Visor Finance was exploited. In late June, an attacker gained access to an account that managed some of the project’s administrative functions and withdrew USD 500,000 worth of crypto assets.