DeFi protocol Warp Finance says it has recovered 75% of stolen funds, about $5.85 million

Quick Take

  • DeFi lending protocol Warp Finance has recovered 75% of the funds it lost in a flash loan attack last week.
  • According to The Block’s research analyst Igor Igamberdiev, Warp could recover the funds because it transferred admin rights of its smart contract to one of its externally-owned addresses.
  • The recovery raises the question of how is Warp decentralized? 

Decentralized finance (DeFi) lending protocol Warp Finance, which lost $7.7 million last week in a flash loan attack, has recovered 75% of the funds or about $5.85 million.

Announcing the update on Sunday, Warp said it regained the funds in the form of ETH/DAI LP tokens, i.e., Uniswap liquidity provider tokens consisting of ether and DAI deposits. The funds, however, were lost in DAI and USDC stablecoins.

"The reason we have chosen to return LP tokens instead of stablecoins is that these are the tokens we've been able to recover," said Warp. It did not explain how, specifically, the funds were recouped. Last week, Warp did say approximately $5.5 million are "still secured in the collateral vault." The Block has reached out to Warp to learn more about the recovery and will update this story should we hear back.

According to The Block's research analyst Igor Igamberdiev, Warp could recover the funds because it transferred admin rights of its smart contract to one of its externally-owned addresses. That allowed Warp to use the "LiquidateAccount" function and liquidate the attacker's position. Warp couldn't use this function right after the attack because of a two-day timelock on admin updates, said Igamberdiev.

So, if Warp can control and liquidate user funds, how does that make it "decentralized?" The situation is indeed "pretty dangerous," said Igamberdiev, adding that Warp still hasn't begun the process for returning admin rights to its smart contract.

That means if any of Warp's developers acts maliciously, they could liquidate funds of users who have open positions in Warp. Currently, the protocol is suspended and is preparing to relaunch.

As for reimbursement of the recovered funds, Warp said it will distribute the amount to affected users within 24 hours, in proportion to the amount of wUSDC and wDAI held at the time of the attack.

Warp said it will also issue "Portal IOU ['i owe you'] tokens" to affected users to make them whole, details of which will be shared "in the coming days."

Update: This story has been updated with additional information and comments from The Block's research analyst Igor Igamberdiev.

© 2021 The Block Crypto, Inc. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

Related Reading

Get Your Crypto
Daily Brief

Delivered daily, straight to your inbox.

Layer-1 Platforms: A Framework for Comparison

The Block Research was commissioned by Algorand to create Layer-1 Platforms: A Framework for comparison, which provides a “look under the hood” at seven platforms: Algorand, Avalanche, Binance Smart Chain, Cosmos, Ethereum/Ethereum 2.0, Polkadot, and Solana. We assess their technical design, related ecosystem data, and qualitative factors such as key ecosystem members to get an understanding of how they differ. Having done this analysis, we draw some insights for what the future of the broader smart contract landscape could look like for years to come. 
Read Full Story
Aug 11, 2021, 5:18PM UTC