Chibi Finance, a popular decentralized finance (DeFi) aggregator on the Arbitrum network, fell victim to an alleged rug pull or exit scam that resulted in the loss of $1 million worth of cryptocurrency. The exploit involved the use of a “panic” function hidden within multiple smart contracts, allowing the attacker to drain users’ funds without authorization. This incident sheds light on the vulnerabilities within DeFi applications and highlights the need for user protection against similar attacks.
CertiK, a blockchain security firm, investigated the attack and provided insights into its execution. By analyzing blockchain data, CertiK identified how the exploit occurred and suggested measures for users to safeguard themselves from potential scams in the future.
Chibi Finance presented itself as a yield aggregator, enabling users to generate returns from various protocols within the Arbitrum ecosystem. The platform experienced significant growth in total value locked (TVL) since its launch in April. Just before the attack, Chibi Finance achieved its goal of $1 million TVL and was listed on CoinGecko, gaining increased exposure.
The attack exploited loopholes present in eight different smart contracts used by the Chibi Finance protocol. These contracts were not unique to Chibi but rather forked from other projects commonly used in DeFi aggregators. One of the contracts contained a “panic” function that allowed the withdrawal of all tokens from a pool, which was crucial for the attacker’s method. However, the panic function lacked proper restrictions and could be called by the app’s creator, resulting in the unauthorized withdrawal of users’ funds.
The attacker initiated the attack by withdrawing Ether (ETH) from Tornado Cash, bridging the funds to Arbitrum, and creating a malicious contract. The attacker then gained administrative rights over the Chibi Finance contracts through a series of transactions, ultimately executing the panic function on each contract. This action triggered an emergency withdrawal from related DeFi pools, including SushiSwap and Aave, resulting in the loss of over $1 million for investors.
To prevent similar rug pulls, users should exercise caution when using apps that possess a panic function. However, adopting this approach comes with the risk of potential fund lock-ups due to undiscovered bugs or exploits within aggregator apps. Users are advised to consider these tradeoffs and conduct thorough research, checking for published audits of the app’s security before usage.
The Chibi Finance incident highlights the complexity of smart contract code and the challenges faced by regular investors in assessing security risks. Users are encouraged to rely on published audits from reputable firms like CertiK to evaluate the safety of DeFi applications. The lack of available information regarding Chibi Finance’s audit report raises concerns about transparency and underscores the need for increased scrutiny in the DeFi space.
Rug pulls and exit scams remain persistent issues within the DeFi sector, posing risks to investors. Recent reports indicate a surge in losses due to such incidents. As the industry evolves, it becomes crucial to prioritize security measures and user protection to foster trust and wider adoption of decentralized finance.