- The DeFi protocol Visor Finance has been hacked, resulting in over $8 million worth of losses.
- A hacker is thought to have exploited a reentrancy bug that allowed them to withdraw funds from a pool.
- The team has announced a token migration after VISR crashed 95%.
The Visor Finance team says it will be launching a token migration to compensate affected users.
Hacker Targets Visor Finance
Visor Finance is the latest DeFi protocol to suffer a multi-million dollar hack.
The Ethereum-based DeFi project, which aims to enable programmable liquidity, was drained of 8.8 million VISR tokens today after a hacker exploited a reentrancy bug. At the time, VISR was trading at roughly $0.93, bringing the total losses to around $8.2 million.
Reentrancy bugs can prove fatal in DeFi as they create a way for an attacker to mint an unlimited amount of tokens. Though a full post-mortem report has not yet surfaced, it’s thought that the hacker used the bug to change the owner of the rewards contract so that they could mint extra vVISR rewards tokens.
The Visor team shared details of the hack this afternoon, noting that it had discovered an exploit affecting its vVISR staking contract. The team added that no positions or hypervisors were at risk. The incident mainly affects VISR stakers and token holders because it has plummeted since the attack. One VISR is worth only $0.04 at press time after shedding over 95% of its value.
To compensate users, the Visor team has announced that it will be arranging a migration date based on a snapshot taken before the hack. Token migrations are a popular strategy for overcoming DeFi hacks. They work by allowing token holders to redeem an equivalent amount of new tokens based on their original holdings. In this case, they’ll be able to redeem based on the amount of VISR they held.
Visor presents itself as an asset management protocol for the DeFi ecosystem. It’s built on Uniswap V3 and aims to create a way for projects and liquidity providers to optimize their returns. Users can deposit assets to a vault in return for an NFT, and their assets are managed by other smart contracts called Hypervisors and Supervisors. Visor raised $3.5 million in July from several big industry players, including 1confirmation, Digital Currency Group, DeFi Alliance, and Spartan.
While Visor has gained traction since its launch, its path hasn’t been particularly smooth. It’s been hacked multiple times throughout this year, though it dismissed its most recent incident in November was the result of “Uniswap V3 arbitrage.” Interestingly, the protocol has been audited by CertiK, a security firm that’s reportedly missed other DeFi vulnerabilities in the past. It also has an ongoing audit with Quantstamp.
Etherscan data shows that the attacker has already traded the majority of their VISR tokens for ETH via Uniswap. They’ve also begun funnelling funds through Tornado.Cash, a bundler for preserving Ethereum transaction history. However, they’ll end up with far less than the $8.2 million notional value due to the token’s illiquidity causing the price to significantly decrease. They’ve deposited 243 ETH worth $978,561 at press time with about 3.6 million VISR and 0.475 ETH worth a combined total of $135,000 sitting in their wallet. Their identity is currently unknown.
This story is developing and will be updated as further details emerge. Visor Finance did not immediately respond to Crypto Briefing’s request for comment.
Disclosure: At the time of writing, the author of this feature owned ETH and several other cryptocurrencies. They also had exposure to UNI in a cryptocurrency index.