DeFi protocol Warp Finance says it has recovered 75% of stolen funds, about $5.85 million

Quick Take

  • DeFi lending protocol Warp Finance has recovered 75% of the funds it lost in a flash loan attack last week.
  • According to The Block’s research analyst Igor Igamberdiev, Warp could recover the funds because it transferred admin rights of its smart contract to one of its externally-owned addresses.
  • The recovery raises the question of how is Warp decentralized? 

Decentralized finance (DeFi) lending protocol Warp Finance, which lost $7.7 million last week in a flash loan attack, has recovered 75% of the funds or about $5.85 million.

Announcing the update on Sunday, Warp said it regained the funds in the form of ETH/DAI LP tokens, i.e., Uniswap liquidity provider tokens consisting of ether and DAI deposits. The funds, however, were lost in DAI and USDC stablecoins.

"The reason we have chosen to return LP tokens instead of stablecoins is that these are the tokens we've been able to recover," said Warp. It did not explain how, specifically, the funds were recouped. Last week, Warp did say approximately $5.5 million are "still secured in the collateral vault." The Block has reached out to Warp to learn more about the recovery and will update this story should we hear back.

According to The Block's research analyst Igor Igamberdiev, Warp could recover the funds because it transferred admin rights of its smart contract to one of its externally-owned addresses. That allowed Warp to use the "LiquidateAccount" function and liquidate the attacker's position. Warp couldn't use this function right after the attack because of a two-day timelock on admin updates, said Igamberdiev.

So, if Warp can control and liquidate user funds, how does that make it "decentralized?" The situation is indeed "pretty dangerous," said Igamberdiev, adding that Warp still hasn't begun the process for returning admin rights to its smart contract.

That means if any of Warp's developers acts maliciously, they could liquidate funds of users who have open positions in Warp. Currently, the protocol is suspended and is preparing to relaunch.

THE SCOOP

Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

As for reimbursement of the recovered funds, Warp said it will distribute the amount to affected users within 24 hours, in proportion to the amount of wUSDC and wDAI held at the time of the attack.

Warp said it will also issue "Portal IOU ['i owe you'] tokens" to affected users to make them whole, details of which will be shared "in the coming days."


Update: This story has been updated with additional information and comments from The Block's research analyst Igor Igamberdiev.


© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

Yogita Khatri is a senior reporter at The Block, covering all things crypto. As one of the earliest team members, Yogita has played a pivotal role in breaking numerous stories, exclusives and scoops. With nearly 3,000 articles under her belt, Yogita holds the records as The Block's most-published and most-read author of all time. Prior to joining The Block, Yogita worked at crypto publication CoinDesk and The Economic Times, where she wrote on personal finance. To contact her, email: [email protected]. For her latest work, follow her on X @Yogita_Khatri5.