Exploit Report
Dear Equalizers,
Equalizer was subject to an exploit on June 7, 11 AM UTC. Although such exploits happen quite often in crypto space, most people do not believe it can happen until it already has.
Our smart contracts have been audited by top auditors Certik, therefore we believed they were bullet proof. We immediately contacted them for an official opinion on the exploit, which you will find attached to this article.
All the assets lost by the users are already covered by Equalizer, so no user was affected by this vulnerability exploit.
Our team managed to find the vulnerability quite fast, to isolate it and to discover the attacker’s address, which we made public:
Now, what happened and what is the current situation?
Equalizer vault contracts experienced an exploit on the four chains it is deployed on: Ethereum, BSC, Polygon and Optimism. The source of the exploit was a flawed calculation that was not discovered during the security audit
Attack flow
The example below is for the exploit on the Polygon chain:
1. The attacker contracted a flash loan of ~50K USDC from UniSwap Pair, then borrowed ~50K USDC from Equalizer, which withdrew the USDC from the vault, decreasing the balance of USDC to 50.
2. The attacker added ~50K USDC as liquidity to the vault, receiving ~50K LP tokens, then paid back the flash loan to the vault. As a result, the balance of USDC was brought back to ~100K USDC.
3. The attacker then removed liquidity. Due to the flawed calculation in the function getRatioForOneEToken(), the withdrawal amount was calculated as 100K. Vault contract paid the attacker and burned the LP token.
4. The attacker paid back UniSwap Pair and walked away with ~50K USDC, originally in the Vault.
5. The attacker repeated the process with other vaults and tokens.
The vulnerability lies in the Vault contract, where the amount of LP token was calculated based on the current balance of the staked token in the vault, which the flash loan can manipulate through the Flash Loan Provider.
More technical details are to be found in the Certik audit report, attached below:
Measures taken
As soon as we made sense of the attack, we:
- gathered to find the source of the exploit
- contacted Certik as the auditors of our smart contracts to ask for an explanation
- EQZ app was put on maintenance mode, and it still is paused
- trading on Kucoin was paused and resumed only days later
- started the funds recovery process -the funds on Ethereum and BSC have been recovered, but the ones on Optimism and Polygon are still missing
- all the losses are covered by Equalizer
For enhanced security reasons the vaults will be redesigned and the activity of the Equalizer app will be resumed only when they have met all security requirements.
These past few weeks have been tough for our team, but innovation is not an easy process and it carries valuable lessons along the way. We thank our community for their support and patience because Equalizer would not be here without its community.
Please follow our official channels for updates regarding our future plans and the Equalizer app.
About Equalizer
Equalizer is the first dedicated flash loan marketplace built on top of a scalable infrastructure that can handle the rising demand of decentralized lending and borrowing and that can boost the trading volume of any listed asset. It offers top benefits over the popular do-it-all DeFi protocols and sets itself a class apart by offering lower fees, a virtually unlimited choice of token vaults, high liquidity through yield farming, and multi-chain capabilities.
Website | Medium | Twitter | Telegram | Telegram Announcement | Discord