Following the DeFiPie hack on July 12, our partner issued an emergency statement the following day, urging all investors to withdraw their funds from the platform due to this security breach.
The hacker was able to steal roughly 720,000 $ZEFU tokens held on the multi-chain lending protocol.
DeFiPie was quick to act and the situation is now under control. The DeFiPie team has set governance proposals to set the network in pause guardian, preventing further attacks, and is fixing the protocol vulnerabilities. A compensation program to refund lost tokens was also prepared in conjunction with our team.
Zenfuse course of action
We want to let our community know that this incident will not impact our project’s development or future goals. Our team has decided to take the lead and refund all the affected users with our own funds. All token holders who have lost $ZEFU have now been reimbursed.
Hacking investigation
In collaboration with blockchain security company Peck Shield, the DeFiPie team was able to track the modus operandi of the attacker and the different steps taken. Here’s what we’ve found so far:
- The attacker created a token contract for a malicious token (X token) with a modified transfer function
- Exploited one of the defining features of DeFiPie, the ability to create new pools, to form several pools for the X token
- Deposited liquidity into the pools, providing real collateral in the form of stablecoins (USDT, DAI, USDC)
- Borrowed the malicious X token and others, including $ZEFU, and took advantage of a reentrancy vulnerability, allowing him to be able to borrow more funds than those he provided as collateral
- Used a second account to liquidate the loans in X tokens from the first account, thus receiving the collateral. He then repeated the same process for each pool
Your funds are ZEFU!
While the attacker did not exploit any vulnerability in Zenfuse itself, we decided to take every measure possible to mitigate the issue given that it impacted our community. Maintaining our project’s integrity, security, and trust is of the utmost importance, so our community can rest easy knowing that their $ZEFU tokens are always safe.
That is why we decided to use part of our budget to refund affected users. Additionally, we’ve also allocated funds for regular third-party security audits, with every minor update to our platform undergoing thorough testing and bug bounties to prevent any attack vectors.
We are confident in our expertise and capacity to deliver but we also know the importance of peer review and third-party audits. With that being said, rest assured that this incident will not dwindle our commitment to uphold the milestones described in our roadmap.
About Zenfuse
Zenfuse is a powerful all-in-one platform for cryptocurrency traders and investors.
It aggregates multiple cryptocurrency exchanges, allowing control of funds via API, and powers up the trading process, making trading more profitable, simple, and stress-free.
Our cross-platform app provides rich analytics of both your portfolio and order history, giving you the ability to control your funds on a mobile device.
