Another attack on DeFi protocol; Visor Finance hacked for $8.2M

Visor Finance, a DeFi protocol for active liquidity management, was hacked resulting in a loss of over $8 million worth of cryptocurrencies.

On December 21, Visor Finance’s team confirmed in a tweet that the DeFi protocol has been compromised in a multi-million dollar hack. The exploit was made possible through a reentrancy bug allowing the hackers to withdraw funds worth $8.2 million of vVISR tokens.

The Attack on Visor Finance

The Uniswap-based decentralized finance protocol, Visor Finance, stated that although no hypervisors are at risk from the attack, they would initiate a token migration. Token migration has become a popular strategy for overcoming DeFi attacks. The process allows token holders to redeem an equivalent amount of new tokens based on their original holdings. In this case, they’ll be able to redeem based on the amount of VISR they held. Assuring that the trades after the vVISR exploit will not affect the redeemable amount, they went on to further add,

“We are aware of an exploit of the vVISR staking contract and are implimenting a migration plan for affected VISR. No positions or hypervisors are at risk.”

For the uninitiated, Visor is an asset management protocol for the decentralized finance (DeFi) ecosystem. It’s built on the Uniswap V3 platform allowing projects and liquidity providers to optimize their return. Users can deposit assets to a vault in exchange for a non-fungible token (NFT). The protocol uses smart contracts called Hypervisors and Supervisors to manage the user’s digital assets. 

Reentrancy bugs can prove to be deadly for Ethereum’s decentralized finance protocols with crippling after-effects. This bug allows scammers to create any number of tokens. In such exploits, the attacker can change the owner of the contract allowing them to generate an unlimited number of vVISR reward tokens.

DeFi Protocol’s native vVISR token slumps

The attack has mainly impacted the stakers and token holders. The DeFi project’s token vVISR which was around  $0.93 before the malicious attack, plummeted by over 95% to reach $0.04 after the incident. The total amount of profit after the completed exchange was $978.5 thousand (243 ETH). It is speculated that the attacker’s wallet also contained 3.6 million VISR tokens and 0.475 ETH, which was estimated to be around $135,000. The attacker used the ill-famed Tornado Cash, a non-custodial privacy protocol built on Ethereum, to hide his identity.

Reentrancy attacks have become a major setback for DeFi protocols of late. Recently, the smart yield optimizer platform, Grim Finance was attacked through reentrancy loops. One of the biggest DeFi attacks happened in August when $600 million worth of various cryptos were stolen across multiple networks including Ethereum, Polygon, and Binance Smart Chain.