Oct 24, 2022 Frank Stewskid

A market manipulation reported by Peckshield causes a chain reaction in other protocols

Peckshield disclosed a market manipulation exploit on the miMATIC market on the lending platform market.xyz, last night. Market.xyz has still not commented on the matter, and the community discord is silent, even though a user asked for a response from a community manager. 

At first, when Peckshield tweeted about the exploit, the company shared the transaction hash and told QiDAO that it “may want to take a look”. 

QiDAO responded by stating the market.xyz hack was not related to QiDAO smart contracts. It also reiterated that its risk committee monitors collaterals and there is a so-called “Risk Matrix” which tracks onchain data while issuing risk reports. Furthermore, QiDAO uses Chainlink’s oracles to price its collateral assets, thus safeguarding the value backing the MAI stablecoin. 

As the exploit on market.xyz also affected QuickSwap’s pools, which are utilized by it, QuickSwap stated it is aware of the issue and preparing a blog post, according to a message from an admin on the platform’s discord server. At the time of writing this article, the blog post is still not shared. 

According to Peckshield, the miMATIC market uses “CurvePoolOracle” for its price feed, and through the oracle, the exploiter managed to borrow funds from the market. Apparently, this particular bug had been recently disclosed by Chainsecurity.

The issue, described by Chainsecurity includes a read-only reentrancy vulnerability. Apparently, the value of one function in some Curve pools (which are often forked) could be manipulated during the removal of liquidity. The exploit was discovered in April 2022, however, the firm only released the report of it in October 2022, stating that they can now share the technical details “since all teams secured their projects”.

Author:

Frank Stewskid

Frank Stewskid

Last updated: Oct 24, 2022

Recent news:

Video Tutorials