Team Finance

Team Finance Hack - October 27, 2022

The Exploit

On October 27, 2022, Team Finance confirmed that $14.5 million in crypto tokens had been drained by hackers through a bug in its v2 to v3 migration function on the Ethereum blockchain. Despite the contract having been audited.

How the Attack Worked

The attacker took advantage of flaws in the migrate function of the Liquidity Locks smart contract. By locking a token to the contract, the attacker was able to bypass the migrate function's validation code and perform a liquidity transfer to a new attacker-controlled pair on Uniswap v3.

The hacker transferred liquidity from the locked Uniswap v2 pools to attacker-controlled Uniswap v3 pairs created with skewed price ranges. Because the migration function allowed the user to specify the v3 pool parameters and refunded leftover tokens, the attacker pocketed the huge "leftovers" as a refund — the actual mechanism of profit extraction.

Attack Vector / Steps

1. Attacker locked a small amount of token to the Team Finance Liquidity Locks contract to gain entry to the migrate flow

2. Called migrate while bypassing existing validation mechanisms

3. Migration created a new Uniswap v3 pair under attacker control with extremely skewed pricing parameters (concentrated liquidity at out-of-range tick)

4. Because only a tiny fraction of the migrated liquidity was needed to seed the v3 position at that price/tick, the rest was refunded to the attacker

5. Repeated across multiple locked pools

Attack Cost

• The attacker used 1.76 ETH (~$2,700) as gas to launch the attack — a tiny capital investment for ~$14.5M extracted

Affected Tokens

• CAW (A Hunters Dream): largest loss at $11.5 million

• Dejitaru Tsuka: $1.7 million

• Kondux: $0.7 million

• Feg: $1.9 million

Recovery and Follow-up

• Most funds were later returned by the attacker (a white-hat-style return after negotiation)

• All affected users received the vast majority of their funds back

• Team Finance replaced the previous auditor with Certik

• Engaged with multiple audit firms

• Enhanced internal software development QA processes

• Beefed up the backend system architecture

• Implemented system-wide third-party software security enhancements

Sources

• Explained: The Team Finance Hack (October 2022) - Halborn

• Team Finance Exploit – Oct 27, 2022 – Detailed Analysis - ImmuneBytes

• Team Finance exploited for $14.5M during protocol migration despite contract audit - Cointelegraph

• Why Team Finance was exploited for $14.5 million, despite its audit - Hacken

• Hacker uses $2,700 to drain $15.8 million from Team Finance - The Block

• Team Finance hacker returns $7M to associated projects after exploit - Cointelegraph