QiDAO, a decentralized finance protocol built on the Polygon network, has suffered $13 million in losses from a security breach. The vulnerability does not involve Qi DAO’s main contracts, but a vesting contract which QiDAO had deployed using programmable smart contract framework, Superfluid.
Today at 6.48am GMT we were notified of a potential exploit of the QiDAO vesting contract that leverages Superfluid code. We are investigating the incident and will keep you updated in this thread and our Discord server.
— Superfluid (@Superfluid_HQ) February 8, 2022
While Superfluid and QiDAO continue to investigate the root case of the attack, blockchain data reveals the total theft to be the tune of $13 million worth of crypto assets. At the time of writing, approximately $8 million is still held on the hacker’s address.
Superfluid revealed in a subsequent update that the hack may have been a “potential protocol layer exploit.” Users who hold so-called “SuperTokens,” tokens issued within the Superfluid framework, are promptly advised to unwrap their assets as a precaution.
QiDAO hack sees token suffers over 80% loss
As noted earlier, the latest compromise does not affect user funds staked in the QiDAO protocol. Instead, the hacker made away with staked QI and other assets vested by the project team. The exploiter had claimed $11.8 million worth of QI tokens which they immediately dumped for Wrapped Ether (WETH) using 1inch exchange.
(Source: Coingecko)
The hacker’s move, as well as investor fears of being diluted by the new supply, caused the price of $QI to drop by over 80%, going from $1.20 to $0.18 within two hours following the incident. As seen in the above chart, $QI has recovered to $0.57 following confirmation that the security breach did not directly affect QiDAO protocol.
