Disclosing a recently discovered Exchange vulnerability
Earlier today a vulnerability in the DeFi Saver Exchange was disclosed to our team.
All funds (~$30k) affected by the vulnerability are safe and will be returned to their owners. We performed a white hat attack to move affected funds to a smart contract from where the funds can only be withdrawn by their original owner addresses.
These two smart contracts were deployed and used to (1) move funds and (2) keep them for their owners until withdrawal:
- https://etherscan.io/address/0x9523fe0d1d488cafddfb3dce28d7d177dddbc300
- https://etherscan.io/address/0xe05b162cd6571e825484ae95a93bfac02e64b05a
During the process a number of our transactions were front-run by arbitrage bots that detected these incoming transactions, but all of the funds collected by these bots have since also been returned.
No other part of DeFi Saver was affected by this vulnerability. Our Automation system, as well as MakerDAO, Compound and Smart Savings dashboards are not affected by this vulnerability in any way.
Securing your account
If you ever used the DeFi Saver Exchange to swap tokens, please go to http://app.defisaver.com/safeguard/ and remove approvals for all listed tokens and contracts.
Removing approvals will secure your account from being affected by this vulnerability.
Retrieving funds
If your funds have been moved from your wallet, please take these steps to recover them:
- Go to: http://app.defisaver.com/safeguard/
- Remove approvals for all listed tokens and contracts
- Click the Withdraw button to withdraw any moved funds
Once these approvals have been removed, your account can no longer be affected by this vulnerability in any way.
If funds were moved from your wallet, but you are not able to withdraw them through the interface, please contact us in our Discord or via Twitter DMs.
We will share more details about the vulnerability as well as steps that we plan to make to prevent this from ever happening again early next week.
If you need any help please contact us in the DeFi Saver Discord. You can also DM us via Twitter if more convenient.