An attacker stole at least $370,000 worth of USDC stablecoins from a smart contract on the Avalanche blockchain in a flash loan attack, affecting multiple liquidity providers.
Avalanche says the incident does not point to an issue on the Avalanche network but is “an issue with the smart contract built on the network. An analogue would be Gmail having an issue, rather than the internet itself,” a spokesperson for the company tells Information Security Media Group.
Flash loans are fast, uncollateralized cryptocurrency loans, where a user can borrow and repay funds within one transaction. The attacker exploited a vulnerability in the smart contract in question, called CauldronV2, to manipulate the exchange rate of the stablecoin, says blockchain security firm CertiK.
The attack affected lending protocol Nereus Finance, decentralized exchange Trader Joe and automated market maker Curve Finance, all of which run on the Avalanche blockchain, CertiK says.
Meanwhile, the attacker appears to have transferred the funds from the Avalanche blockchain to the Ethereum network, says Martin Hiesboeck, head of research at cryptocurrency financial services provider Uphold Inc, citing on-chain data from Avalanche explorer Snowtrace.io.