DeFi’s rising insurance protocol Cover Finance was exploited for $9.4M worth of user funds after a group of hackers used a faulty smart contract to mint quadrillions of COVER tokens.
Cover Finance allows users to buy smart contract protection on supported DeFi protocols by buying CLAIM tokens that can be redeemed in the event of a hack on the contract in question. Liquidity providers, or LPs, provide capital in exchange for NOCLAIM tokens, and earn fees when CLAIM tokens are purchased and no hack occurs during the claim window.
To incentivize the insurance pool, Cover has been running what it calls a Shield Mining program, allowing LPs to earn COVER tokens for providing liquidity to select smart contracts.
Over the weekend, a hacker noticed they were able to exploit the Shield Mining rewards contract to mint more COVER than what they were technically owed. The flaw allowed them to mint a theoretically infinite number of tokens, which they could then sell on the open market. After the hacker started the exploit, others jumped on the infinite-mint loophole as well.
COVER token plunged by more than 90% to $6.8 currently, from over $900 before the attack.
Grap Hat Attack
With the Cover team asleep, Grap Finance took the opportunity to act as a white hat, exploiting the bug attack to drain the remainder of the liquidity pools for 4350 ETH, worth roughly $3M, which are currently in this address.
“Next time, take care of your own shit,” stated the transaction which sent the remaining ETH from Grap Finance back to the Cover team.
An additional ~91 ETH was returned by other hackers.
Yearn, which recently said was merging with Cover, had its developers also rush to the rescue.
Now, Cover is planning a reimbursement program for LPs using a snapshot prior to the hack occurring. It will distribute 4,441.8 ETH returned by hackers proportionally to depositors in eligible liquidity pools. The team also plans to mint a new COVER token, and reimburse those who had COVER in their wallets at the time of the attack at 1:1, according to a post.
With COVER profits wiped out in an instance, some DeFi degens may start to feel like ‘being rugged is a DeFi rite of passage’.
The exploit shows that even audited protocols can have vulnerabilities, and users should be prepared to lose 100% of the funds they deploy into these nascent financial tools.