Illuvium takes measures to protect staked funds post discovery of vulnerability

Over the past year, Decen­tralised Finance (DeFi) has expe­ri­enced expo­nen­tial growth with more than 4.3 mil­lion users at the time of writ­ing. Need­less to say, it doesn’t show any signs of slow­ing down, giv­en the cur­rent demand. That said, hacks, scams, and sim­i­lar illic­it activ­i­ties played a role as well. As unfor­tu­nate as it sounds, some secu­ri­ty risks are involved.

Drastic step(s)

Mul­ti-bil­lion dol­lar blockchain gam­ing giant Illu­vi­um is cur­rent­ly the top­ic of dis­cus­sion after it fell prey to illic­it activ­i­ty. Although, no funds have been com­pro­mised so far.

Illu­vi­um is an open-world fan­ta­sy bat­tle sport that’s con­struct­ed on the Ethereum net­work and has the aim of turn­ing into the pri­ma­ry AAA-rat­ed blockchain-based sport that includes ele­ments of decen­tral­ized finance (DeFi) and non­fun­gi­ble tokens (NFT).

Here’s the inter­est­ing part. Post-detec­tion of a vul­ner­a­bil­i­ty in stak­ing con­tracts, Illu­vi­um drained entire funds from a Uniswap pool. There­by, pre­vent­ing an attack­er from cash­ing out. The team tweeted:

We have found a vul­ner­a­bil­i­ty in our stak­ing con­tracts, and as such, the eDAO has put a tem­po­rary pause on $sILV mint­ing. The attack vec­tor has been closed, and no funds have been com­pro­mised. This is pure­ly a pro­tec­tion mech­a­nism for the DAO. (1/2)

— Illu­vi­um (@illuviumio) Jan­u­ary 4, 2022

The said pre­cau­tion doesn’t real­ly come as a sur­prise. Espe­cial­ly giv­en the increase in the num­ber of hacks, exploits and attacks in the DeFi world. But the obsta­cle was fixed. At least that’s what the team stat­ed. It update stated,

“The vul­ner­a­bil­i­ty has been fixed with­in the stak­ing V2 con­tracts and we expect to have them launched short­ly. $ILV hold­ers will have time before the Land Sale to claim their $sILV. We’re very sor­ry for the incon­ve­nience. Ensur­ing the DAO is pro­tect­ed is our main priority.”

Here’s the sig­nif­i­cance of the afore­men­tioned action. The sILV/ETH Uniswap V3 pool was drained of all funds in a series of large trans­ac­tions. It even short­ed the trad­ing price of sILV to $0, although temporarily.

Further analysis

On fur­ther analy­sis, the team along with the co-founder of the net­work Aaron War­wick made a cou­ple of observations.

First­ly, users were advised to not buy into any liq­uid­i­ty. Also, attack­ers were able to steal some of the funds. But it’s cur­rent­ly unclear how much sILV the attack­er was able to cash out as ETH before the team man­aged to drain the pool entirely.

Fur­ther­more, the team added a few insights to alert users of next steps.

…they do not lose any funds from this attack. We are inves­ti­gat­ing the issue and will con­tin­ue to pro­vide updates as soon as pos­si­ble. As a reminder, we can­not stop peo­ple from buy­ing into the pool right now but please DO NOT buy in the unof­fi­cial sILV pool. ⚠️ (3/3)

— Illu­vi­um (@illuviumio) Jan­u­ary 4, 2022

As part of the lat­est warn­ing, the team shed light on an impor­tant aspect. Some­thing to think about before act­ing upon it.

There are scam­mers pre­tend­ing to be Illu­vi­um’s Offi­cial Sup­port twit­ter account pre­tend­ing to offer help. Our Twit­ter account is ver­i­fied (check for blue tick). Nev­er give out your pass­words or seed phras­es or click sus­pi­cious links. We’ve report­ed the account to Twitter.

— Illu­vi­um (@illuviumio) Jan­u­ary 4, 2022

Over­all, a detailed post-mortem would pro­vide the nec­es­sary infor­ma­tion for the afore­men­tioned hack. For now, ILV, Illuvium’s gov­er­nance token did take a major hit. It was trad­ing at the $990 mark with a 4% cor­rec­tion in 24 hours.