Blizz Finance & Venus Protocol Exploit - May 2022
What Happened
Two lending platforms suffered significant losses following the Terra ecosystem collapse:
• Venus Protocol (BSC): $13.5M drained
• Blizz Finance (Avalanche): $8.3M drained
Technical Root Cause
The Chainlink price oracle used by both protocols had a hardcoded minimum price (_minAnswer_) set at $0.10 for LUNA. As LUNA's actual market price plummeted below this threshold—dropping "from an ATH of almost $120, just over a month ago"—the oracle became disconnected from reality.
Attack Vector & Exploit Steps
1. LUNA price collapsed well below $0.10 following the failed UST recovery plan
2. Attackers purchased LUNA at actual market prices (fractions of a cent)
3. Deposited LUNA as collateral valued at the oracle's $0.10 minimum
4. Borrowed legitimate assets against vastly overpriced collateral
5. Extracted funds from the protocols
Financial Impact
• Venus: $13.5M loss (TVL ~$1B)
• Blizz: $8.3M loss (entire $8.3M TVL)
Remediation
Venus Protocol suspended activity proactively and implemented:
• Active proposal to resume with LUNA/UST positions suspended
• Risk Fund deployment to cover shortfalls
Blizz Finance could not respond due to timelock constraints, resulting in complete protocol depletion.
Key Addresses
Chainlink Oracle (BSC):
0xec72d46011d67a6ac4fa7d3f476fa2049dc807ee