Earlier today a vulnerability in the DeFi Saver Exchange was disclosed to our team.
All funds (~$30k) affected by the vulnerability are safe and will be returned to their owners. We performed a white hat attack to move affected funds to a smart contract from where the funds can only be withdrawn by their original owner addresses.
These two smart contracts were deployed and used to (1) move funds and (2) keep them for their owners until withdrawal:
During the process a number of our transactions were front-run by arbitrage bots that detected these incoming transactions, but all of the funds collected by these bots have since also been returned.
No other part of DeFi Saver was affected by this vulnerability. Our Automation system, as well as MakerDAO, Compound and Smart Savings dashboards are not affected by this vulnerability in any way.
Securing your account
If you ever used the DeFi Saver Exchange to swap tokens, please go to http://app.defisaver.com/safeguard/ and remove approvals for all listed tokens and contracts.
Removing approvals will secure your account from being affected by this vulnerability.
If your funds have been moved from your wallet, please take these steps to recover them:
- Go to: http://app.defisaver.com/safeguard/
- Remove approvals for all listed tokens and contracts
- Click the Withdraw button to withdraw any moved funds
Once these approvals have been removed, your account can no longer be affected by this vulnerability in any way.
We will share more details about the vulnerability as well as steps that we plan to make to prevent this from ever happening again early next week.