Jarvis Network, a decentralized finance (DeFi) project built on the Polygon network, recently lost over half a million dollars to hackers. The project is the latest DeFi protocol that has lost funds to bad actors.
The jFIAT token for Jarvis was the victim as the hacker gained over 663,000 MATIC, worth over $660,000.
What is jFIAT?
In June 2022, the Jarvis Network joined forces with lending and borrowing pool provider Midas Capital. The collaboration was geared towards launching the Jarvis jFIAT pool. jFIAT is a synthetic fiat currency designed to function as a stablecoin on a “fully on-chain forex market.”
Although Jarvis lives natively on the Ethereum network, the Polygon mainnet serves as the base layer for the jFIAT pool.
Jarvis Loses $660k
Re-entrancy attacks and price manipulation were used to facilitate the exploit. A re-entrancy attack occurs when a bad actor exploits a vulnerable smart contract, making it transfer funds to a wallet address owned by the attacker.
The attacker capitalized on a new collateral type called stMATIC-wMATIC Curve liquidity pool token, built on Midas Capital. Jarvis believes that this newly added feature was exploited by the bad actor.
???? Earlier today, our @MidasCapitalxyz pool was exploited: Midas recently added a new collateral type stMATIC-wMATIC Curve LP token, which seems to have been inflated to borrow jEUR, jCHF and jGBP, as well as agEUR, and swap all of them on @KyberNetwork for $MATIC.
— Jarvis Network ???????????? (@Jarvis_Network) January 15, 2023
According to cybersecurity firm Ancilia, the hacker performed a series of transactions that resulted in a price change of the Jarvis jFIAT token 10 times. Another action carried out by the attacker was the minting of 131,000 jFIAT tokens. About 270,000 wrapped MATIC as collateral.
According to blockchain explorer Polygonscan, the attacker’s wallet currently holds only $17. Blockchain security platform MistTrack shows that most of the stolen funds have been sent to crypto exchanges Binance, HitBTC, and KuCoin.
Binance, on its part, has a record of retrieving stolen funds for several crypto projects. In the most recent case, the exchange aided the retrieval of funds tied to the Harmony Protocol that swept $100 million from the project.
Midas and Jarvis Comments
Per the latest attack on their services, Midas Capital and Jarvis Network have commented on the exploit via Twitter.
“We’ve currently paused borrowing on the Jarvis Polygon pool,” Midas stated in a tweet.
Jarvis urged the Polygon and Ethereum developer team to assist in tracking down the funds.
