Hackers attacked decentralized exchange (DEX) QuickSwap today, making away with $220,000 in a flash loan exploit.
The DEX said Monday that it had closed QuickSwap Lend, its lending protocol, following the exploit. It added that the only platform hit by an exploit was its Market XYZ lending market.
Users also didn’t lose any funds, according to the DEX. Flash loans, popular in the world of DeFi (decentralized finance), allow crypto users to take out instant loans without collateral.
⚠️QuickSwap Lend is closing⚠️
🔗$220k was exploited in a flash loans attack due to a vulnerability with the Curve Oracle, which @marketxyz was using
☣ Only the Market XYZ lending market was compromised. QuickSwap’s contracts are unaffected
— QuickSwap (@QuickswapDEX) October 24, 2022
But they are prone to exploits—like QuickSwap’s today. Flash loan exploits—which happen a lot in DeFi—are when a highly capitalized bad actor manipulates the price of an asset by taking out lots of loans, and then quickly sells back the borrowed capital to earn a profit.
Blockchain security firm PeckShield posted details of the exploit. A few hours later, the hackers were using sanctioned coin mixer Tornado Cash to hide the origin of the funds, according to Etherscan data.
People use QuickSwap to swap tokens. As a DEX, it requires no sign-up (unlike a centralized exchange like Coinbase) and has no middle-man—so anyone can use it.
QuickSwap is a fork of the Uniswap DEX, one of the biggest DeFi apps in the crypto space. But unlike Uniswap, it doesn’t run on Ethereum but Polygon, the blockchain which hosts the 12th biggest cryptocurrency, MATIC.
DEXs are vulnerable to flash loans and other hacks, though, and as users are completely in control of their funds, there is no insurance—as there would be on a centralized exchange.
Stay on top of crypto news, get daily updates in your inbox.