Gamma

Visor Finance / Gamma vVISR Staking Exploit — December 21, 2021

Overview

On December 21st 2021 02:29:11 PM UTC a malicious contract drained Visor Finance's staking contract of 8,812,958 VISR tokens. At the time, VISR was trading at roughly $0.93, bringing the total losses to around $8.2 million.

Attack Mechanism

The attack was made possible by implementing the IVisor delegateTransferERC20 interface and calling the staking contract's withdraw function with the desired VISR amount. Dependence on arbitrary IVisor delegateTransferERC20 implementation by caller allowed for the attack to take place.

Response and Recovery

The Visor Finance project has merged with Gamma Strategies, and all affected users will be issued new GAMMA tokens. Gamma will be providing liquidity for $GAMMA and will be distributing tokens to all VISR, vVISR and tVISR holders at time of snapshot (occurred December 21st).

Recommendations

The staking contract should not rely on a user provided contract to implement the required transfer function. The staking contract should instead rely on a fixed transfer implementation such as ERC20.transferFrom. The team engaged with both Quantstamp and ConsenSys Diligence for December and January audits, and this new staking contract was to be included.

Sources

• https://medium.com/visorfinance/post-mortem-for-vvisr-staking-contract-exploit-and-upcoming-migration-7920e1dee55a

• https://www.quadrigainitiative.com/casestudy/visorfinanceunlimitedminting.php

• https://coincodecap.com/visor-finance-suffers-defi-hack

• https://beincrypto.com/visor-finance-hacked-for-8m-in-latest-defi-exploit/

• https://cryptobriefing.com/8-2m-lost-visor-finance-suffers-latest-defi-hack/

• https://blockchainjournal.news/another-attack-on-defi-protocol-visor-finance-hacked-for-8-2m/