TL;DR. All user funds are safe now, and the vulnerabilities exploited by the attackers have been fixed. Losses are estimated at $260 thousand. The team is preparing a compensation plan.
On January 26, while transferring funds to the new XAI + FRAXBP pool, we were subjected to a MEV attack. During the exchange of 66,888 DAI, we received only 17,230 USDC due to a sandwich attack on a transaction in the mempool. In total, the attackers managed to steal approximately $49,658.
As a result of this attack, the price of ZLP in the XAI pool decreased to $0.8213, while the price of ZLP in the MIM pool remained at $1.1252.
This opened a vulnerability where the user was able to run a flashloan attack and invest $4,000,000 in the protocol several times and get ZLP at a low price, then withdraw them at an inflated price. Links to the transactions:
The price of LP in the two pools has leveled off and there is no risk of a repeat scenario.
The team quickly responded to the attack and stopped all deposits and withdrawals within one hour.
What the team did to eliminate risk in the future:
- New contract for XAI strategy with amount control to eliminate MEV attacks;
- Deposits and withdrawals were suspended immediately to confirm the safety of user funds;
- Restrictions on direct deposits and withdrawals up to 100k thousand, which makes the attack uneconomical;
- Delegated deposits and withdrawals remain unlimited;
- Plan for compensating lost funds to users.
In total, the attackers stole $260k. The team is preparing a compensation plan. The plan will be presented in the coming days.