DeFi protocol Cover exploited, attackers minted at least 40 quintillion tokens

Quick Take

  • Decentralized finance (DeFi) protocol Cover, which recently merged with Yearn.Finance, has just been exploited.
  • One of the attackers was able to mint 40 quintillion COVER tokens (worth about $11,826 quintillion at the time of writing) due to a bug in the protocol’s smart contracts.
  • Hours after the exploit, one of the attackers returned all the liquidated funds and burned the remaining minted tokens. 

Decentralized finance (DeFi) protocol Cover, which recently merged with Yearn.Finance, has just been exploited.

One of the attackers was able to mint 40 quintillion COVER tokens (worth about $11,826 quintillion at the time of writing) due to a bug in the protocol's smart contracts, according to The Block's research analyst Igor Igamberdiev. There could be more exploits due to the bug, said Igamberdiev.

The attackers have sold at least $5 million worth of COVER tokens at the time of writing. It remains to be seen whether they are able to liquidate more. In other words, whether they are able to convert COVER tokens into, say, bitcoin (BTC) or ether (ETH).

The price of the COVER token has fallen sharply since the attacks and is currently trading down by about 67% at around $227, according to CoinGecko.

In light of the attack, crypto exchange Binance has suspended COVER deposits, as well as trading for all COVER trading pairs. COVER withdrawals remain open at the exchange.

Update

THE SCOOP

Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

Hours after the exploit, one of the attackers (Grap.finance) returned all the liquidated funds, i.e., about $3 million, to the Cover protocol. They converted COVER to ETH first to return the funds, with a message: "Next time, take care of your own shit." The attacker then burned the remaining minted COVER tokens, i.e., more than 40 quintillion. In other words, they only sold 72,900 COVER tokens using Uniswap and Sushiswap and burned the remaining ones.

It remains to be seen whether other attackers will also return the liquidated funds and burn the remaining minted tokens.

Cover said it is still investigating the incident. "The exploit is no longer possible. Please do NOT buy $COVER tokens, and remove your liquidity from the COVER/ETH pool on Sushiswap," it added. "CLAIM/NO CLAIM balancer pools are unaffected."

Cover developers and Yearn founder Andre Cronje did not respond to The Block's requests for comments by press time. 


© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

Yogita Khatri is a senior reporter at The Block, covering all things crypto. As one of the earliest team members, Yogita has played a pivotal role in breaking numerous stories, exclusives and scoops. With nearly 3,000 articles under her belt, Yogita holds the records as The Block's most-published and most-read author of all time. Prior to joining The Block, Yogita worked at crypto publication CoinDesk and The Economic Times, where she wrote on personal finance. To contact her, email: [email protected]. For her latest work, follow her on X @Yogita_Khatri5.