Nereus Finance Loses $371k in Avalanche Flash Loan Attack

A scammer used a special smart contract on the Nereus Finance to deploy a $51 million flash loan to manipulate the AVAX/USDC Trader Joe LP pool pricing for a single block. The scammer made away with a net worth of $371,000 USD Coin (USDC). 

Protocol for avalanche-based financing Nereus Finance was the victim of a devious attack in which a user obtained $371,000 in USD Coin (USDC) using a smart contract abuse.

CertiK, a blockchain cybersecurity firm, was among the first to notice the vulnerability on Tuesday, noting that the assault had an impact on liquidity pools on Nereus related to decentralized exchange (DEX) Trader Joe and automated market maker Curve Finance. CertiK also claimed that the underlying protocols were disrupted. Curve Finance, on the other hand, commented on Twitter stating that assets were impacted, not protocols. 

Nereus Finance issued a thorough article about the event on Wednesday, revealing how the “exploiter” was able to install a custom smart contract that used a $51 million flash loan from Aave to artificially manipulate the Avalanche (AVAX)/USDC Trader Joe LP (JLP) pool price for a single block.

As a consequence, the unidentified hacker was able to manufacture 998,000 units of Nereus’ native coin NXUSD against a collateral of $508,000. They subsequently transferred this cash into various assets via various liquidity pools, resulting in a net profit of $371,406 once the flash loan was repaid. The event resulted in the creation of $500,000 in the NXUSD protocol. 

Nereus Finance to the Rescue 

According to the Nereus team, they acted quickly to correct the problem. They liquidated and suspended the exploited JLP market after consulting security experts, devising a mitigating strategy, and contacting law enforcement. According to reports, the bad debt was paid off with NXUSD from the team’s treasury.

The exploit, according to Nereus, was caused by a “missed step” in the pricing computation, resulting in the possibility of being abused. It did, however, emphasize that “no user money is at risk, and NXUSD remains over collateralized,” and that the “Lending and Borrowing protocol was not affected by this vulnerability.”

Nereus is a non-custodial liquidity market protocol that allows users to engage as depositors or borrowers. Depositors supply liquidity to the market in order to earn a passive income, whilst borrowers might borrow over-collateralised (perpetually) or under-collateralized (one-block liquidity).