On November 7, TheStandard.io, a leading decentralized lending and stablecoin platform on Ethereum’s layer-2 scaling network Arbitrum (ARB) and Uniswap (UNI), was exploited in an attack that saw the culprit get away with 8,500 USDC.e and 280,000 EURO.
Analysts at blockchain security firm CertiK, who first reported the hack, noted that the hacker allegedly conducted a low-liquidity exploit of a liquidity pool containing Paxos Gold (PAXG) on the platform, resulting in a combined loss of $264,000 at current prices.
A low-liquidity exploit is a type of hacking where a threat actor takes advantage of token pools with low liquidity, in this case, the PAXG pool, to manipulate its asset prices for financial gain.
Hacker Drains PAXG Liquidity Pool on TheStandard.io by Devaluing the Token’s Price
The culprit responsible for the attack on TheStandard.io exploited the DeFi protocol’s PAXG LP to get away with 8,500 USDC and approximately $300,000 worth of EUROs stablecoin on the Arbitrum blockchain.
CertiK also reported that after moving the funds out of the DeFi lending protocol, the hacker used 222,819 EUROs to mint an Algebra Positions NFT on Polygon (MATIC) – a layer-2 scaling solution for Ethereum.
Soon after the attack was brought to its attention, TheStandard.io released a statement assuring customers that all collateral in the platform’s smart vaults was safe. The DeFi exchange also announced that its core team has suspended any new smart vaults from being created and halted the minting of all new EURO stablecoins until the vulnerability has been patched.
According to TheStandard.io, after getting access to the Paxos vault on Uniswap and Arbitrum, the hacker was able to manipulate the price of PAXG down to $0.01 per token due to low liquidity for the asset on Arbitrum. This meant that even a trade with the smallest denomination could disproportionately impact the asset’s price as a result of its lack of depth in the market.
Prior to the hack, the attacker had deposited 10 Wrapped Bitcoin (WBTC) in a smart vault on the exchange and used it as collateral to borrow the maximum amount of EUROs without getting liquidated. Since they controlled the majority of the liquidity in the PAXG pool on TheStandard.io, they were able to swap the WBTC for PAXG at a manipulated price.
The artificially low price of PAXG meant that the vault was now registered as being undercollateralized. The price manipulation meant the vault was reporting its PAXG holdings as very little. However, the hacker still had access to a large amount of borrowed EUROs.
The hacker then used the EUROs to drain all liquidity from the EURO/USDC.e pool on the decentralized exchange (DEX) Camelot, further improving their gains from the attack. As their final move, the attacker deposited the remainder of their ill-gotten gains as liquidity into the DEX, positioning themselves to earn profit from future liquidity of the token pool.
TheStandard.io assumes that if the platform were to place more liquidity into the PAXG pool, there is a high chance that the attacker will sell the tokens and take the profits as they are in control of the vault.
TheStandard.io Ready to Make a Deal With the Hacker
The platform posted a request on X, pleading with the exploiter to come forward as a white hat and to contact the team via direct message. Looks like TheStandard.io is at the hacker’s mercy after stating that they are a “small project trying to build something good for the world”.
Recently, hackers have been targeting DeFi and crypto projects with low liquidity as a way to make quick gains. According to a CertiK report, DeFi users lost more than $32.2 million to security breaches and scams in October.
The TheStandard.io case is still developing and further details will be revealed.