Polygon stablecoin QiDAO exploited for $13M on Superfluid vested contract

70a04ee0 ba75 4667 a113 752a897a5c25

Polygon’s native stablecoin protocol QiDAO faced an exploit on its Superfluid vesting contract leading to a 65% drop in the price of the governance token QI. QI price fell from $1.24 to $0.18.

QiDAO took to Twitter on Tuesday to acknowledge the exploit on the Superfluid vesting contract but assured that users’ funds are safe and no funds from QiDAO have been affected. Superfluid also confirmed the exploit on QiDAO and said they are investigating the situation and will update accordingly. The protocol enables users to move assets on-chain in a constant flow in real-time from one wallet to another.

While there was no impact on the user’s funds, the hackers behind the attack managed to get away with $20 million worth of tokens including 24 WETH, 562,000 USDC, 44 SDT, 1.5 million MOCA, 23,000 STACK and nearly 40,000 sdam3CRV. Early information suggested that the stolen funds belonged to some of the early backers of the project and included team vested tokens as well.

Reported Hacker Wallet Activity Source: Polygonscan

Crypto analytic group SlowMist created a fund tracker with the balance of each token stolen. After analyzing the wallet transaction data, they estimated that the hackers managed to steal about $13 million worth of cryptocurrencies.

ffdfcece bbff 455e 8740 47635965c6e5
Hacker’s reported balance Source: SlowMist

The hackers behind the attack started dumping stolen QiDAO on Quickswap DEX with high slippage, leading to a 65% decline in the price of the governance token. The Polygon community took the opportunity to buy the dip which has already helped the governance token reach up to $0.6 after falling below $0.18. It is important to note that the exploit was carried out using a vulnerability in Superfluid, and QiDAO wasn’t exploited.

QiDAO had temporarily paused its bridge after the exploit and hoped to resolve the issue soon. The exploit comes within 24 hours of Polygons’ $450 million fundraise, however, the community showed immense support in the native stablecoin protocol and stressed that it was because of the third-party vulnerability rather than an issue with stablecoin protocol.