The Superfluid vesting contract of Polygon’s native stablecoin protocol QiDAO was exploited, resulting in a 65% reduction in the price of the governance token QI. The price of QI dropped from $1.24 to $0.18.
On Tuesday, QiDAO acknowledged the Superfluid vesting contract exploit on Twitter, but assured users that their assets are safe and that none of QiDAO’s funds had been harmed. Superfluid verified the QiDAO exploit and stated that they are researching the problem and will provide updates as needed. The protocol allows users to move assets on-chain in a continuous flow from one wallet to another in real-time.
While the user’s assets were not affected, the attackers were able to make off with what was first thought of as an eye-watering $20 million worth of tokens. The stolen assets include 24 WETH, 562,000 USDC, 44 SDT, 1.5 million MOCA, 23,000 STACK, and approximately 40,000 sdam3CRV. According to early reports, the stolen monies belonged to some of the project’s early backers and included team vested tokens.
The team has asked the community to exercise caution and avoid interacting with SuperFluid’s smart contracts, until further notice. Additionally they have asked their users to unwrap all SuperTokens, stating that attackers may be targeting high-value wallets.
SlowMist, a crypto-analytics firm, produced a fund tracker that shows the balance of each coin taken. They assessed that the hackers stole around $13 million worth of cryptocurrency after studying the wallet transaction data.
The hackers behind the attack began dumping stolen QiDAO on Quickswap DEX with heavy slippage, causing the governance token’s price to plummet by 65 percent. After plunging below $0.18, the Polygon community took advantage of the opportunity to buy the dip, helping the governance token rise to $0.6. It’s worth noting that the exploit was carried out utilising a Superfluid vulnerability, rather than QiDAO.
At the time of publication, QI was trading at $0.588237, down by a depressing 43.7%.