link.png

ID:

team-finance-1248

Date:

Status:

Incident Count:

October 27, 2022

Verified

1

info.png
target.png
REKT

Contributor:

chain.png

web3rekt.com

KYC By:

KYC:

None

info.png

Audit By:

Audits:

Zokyo

Loss Amount:

14,500,000

info.png

Recovered:

13,500,000

Rewards:

Ticker:

USD

info.png

Team Finance provides DeFi tools for token holders & businesses to buy, trade, create, and secure crypto assets with confidence. Team Finance, also operates TrustSwap (https://trustswap.com/),

Team Finance reported that $14.5M USD of tokens were exploited through the audited v2 to v3 migration function.

The project team has temporarily paused all activity until the exploit has been remedied.

All funds currently on Team Finance are not at further risk of this exploit.

According to Peckshield, the protocol has a flawed migrate() that is exploited to transfer real UniswapV2 liquidity to an attacker-controlled new V3 pair with skewed price, resulting in huge leftover as refund for profit. Also the authorized sender check is bypassed by locking any tokens.

According to BlockSec, the root cause is that the fake token can be added to the contract and then the fake token is used as a parameter to migrate for the pool [faketoken,WETH]. By doing so, the attacker can get refund during the migration process.

info.png

DISCLAIMER: While web3rekt has used the best efforts in aggregating and maintaining this database, this web site makes no representations or warranties with respect to the accuracy or completeness of its information and data herein, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose. 

Under no circumstances, shall web3rekt be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the data and information derived from this database.