DeFi protocol Warp Finance says it has recovered 75% of stolen funds, about $5.85 million
December 21, 2020, 2:45AM EST · 2 min read
- DeFi lending protocol Warp Finance has recovered 75% of the funds it lost in a flash loan attack last week.
- According to The Block’s research analyst Igor Igamberdiev, Warp could recover the funds because it transferred admin rights of its smart contract to one of its externally-owned addresses.
- The recovery raises the question of how is Warp decentralized?
Decentralized finance (DeFi) lending protocol Warp Finance, which lost $7.7 million last week in a flash loan attack, has recovered 75% of the funds or about $5.85 million.
Announcing the update on Sunday, Warp said it regained the funds in the form of ETH/DAI LP tokens, i.e., Uniswap liquidity provider tokens consisting of ether and DAI deposits. The funds, however, were lost in DAI and USDC stablecoins.
"The reason we have chosen to return LP tokens instead of stablecoins is that these are the tokens we've been able to recover," said Warp. It did not explain how, specifically, the funds were recouped. Last week, Warp did say approximately $5.5 million are "still secured in the collateral vault." The Block has reached out to Warp to learn more about the recovery and will update this story should we hear back.
According to The Block's research analyst Igor Igamberdiev, Warp could recover the funds because it transferred admin rights of its smart contract to one of its externally-owned addresses. That allowed Warp to use the "LiquidateAccount" function and liquidate the attacker's position. Warp couldn't use this function right after the attack because of a two-day timelock on admin updates, said Igamberdiev.
So, if Warp can control and liquidate user funds, how does that make it "decentralized?" The situation is indeed "pretty dangerous," said Igamberdiev, adding that Warp still hasn't begun the process for returning admin rights to its smart contract.
That means if any of Warp's developers acts maliciously, they could liquidate funds of users who have open positions in Warp. Currently, the protocol is suspended and is preparing to relaunch.
As for reimbursement of the recovered funds, Warp said it will distribute the amount to affected users within 24 hours, in proportion to the amount of wUSDC and wDAI held at the time of the attack.
Warp said it will also issue "Portal IOU ['i owe you'] tokens" to affected users to make them whole, details of which will be shared "in the coming days."
Update: This story has been updated with additional information and comments from The Block's research analyst Igor Igamberdiev.
© 2021 The Block Crypto, Inc. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.