Warp Finance — Exploit Summary & Recovery of Funds
UPDATE: At 0230 UTC on December 22nd, 2020 we successfully dispersed ETH/DAI-LP tokens to users worth $5.688m representing approximately 73% of funds.
UPDATE: At 0216 UTC on December 20th, we successfully recovered the exploiter’s loan collateral in the form of ETH/DAI-LP tokens.
UPDATE 20/12/2020 2130: We have updated the snapshot of addresses to also include the addresses with funds that were deposited after the exploit and resulted in a loss. In light of this, we will delay the distribution for 24 hours to ensure the snapshot for compensation distribution is correct.
Summary of Exploit
On December 17th, 2020 the Warp Finance protocol experienced a flash loan exploit due to a gameable oracle that resulted in the user being able to withdraw a $7.76m loan. Due to the nature of the exploit, the collateral value is worth less than the loan, which is why a standard liquidation was unable to take place. The loan collateral has since been secured by the warp finance team and will allow us to return approximately 75% of users’ deposited funds, thanks to support from the Ethereum and white hat community. With special thanks to Emiliano, Banteg, Samczsun, and Julien Bouteloup for their efficient and professional assistance in identifying solutions to return the collateral.
The execution of the exploit involved multiple flash loans via dYdX, multiple flash swaps via Uniswap and multiple instances of flash liquidity. The complexity of the exploit is described well at the following links:
https://twitter.com/Ceazor7/status/1340337671483224070?s=19
https://twitter.com/emilianobonassi/status/1339719073333194754
https://twitter.com/emilianobonassi/status/1339857539857600512?s=20
https://www.rekt.news/warp-finance-rekt/
It’s our commitment to ensure the longevity of the Warp Finance protocol through initially reimbursing the recovered collateral and then making efforts to compensate and incentivize user’s involvement in Warp Finance’s vision.
Distribution of Recovered Funds
Update: distribution transaction.
In approximately 24 hours we will distribute the recovered funds to affected users proportional to the amount of W-USDC and W-DAI held at the time of the snapshot. Basing the distribution of funds on the amount of W-USDC and W-DAI held is important as these tokens were only used within the affected V2 contracts.
In the meantime we encourage the community to verify the integrity of the snapshot as well as the script we used for our calculations. This is all available on our Github.
After 24 hours, on December 21st, 2020 at approximately xx am UTC we will distribute these LPs tokens to affected users. To read how to add these LP tokens to your metamask, please read the following link.
Contract for ETH-DAI UNI-V2 LP: 0xa478c2975ab1ea89e8196811f51a7b7ade33eb11
Reimbursement Plans for Lost Funds
We are reaffirming our commitment to our users with a thoroughly created reimbursement plan. As mentioned above, affected users will receive a distribution of ETH/DAI-LP tokens which are currently worth approximately 75% of the value of the total USDC and DAI deposit amount.
While we are relieved that lost funds have been partially recovered, we see this only as a first step to making Warp Finance users whole. For this reason we will issue Portal IOU tokens to every affected user. The end goal of the IOU token is to fully refund users, and potentially even giving them a profit on what they initially deposited. We will share more information about the IOU token and its design in the coming days. At present, our priority is to return the recovered funds, audit the distribution contracts and ensure absolute security.
What should I do with the LP tokens I receive?
We are aware that some users may not be familiar with how Uniswap LP tokens work. The recovered tokens are ETH/DAI-LP tokens meaning that it’s a token consisting of Ether and DAI deposits. You can use these LP tokens for claiming the underlying assets.
Users will need to visit Uniswap’s pool dashboard and connect their wallet. Now the LP tokens should get recognized and the pool should automatically load. If not, a pool can manually be loaded by using the “Import it” button. After clicking on the pool a user simply needs to click “Remove Liquidity” and follow the next steps. For an in-depth guide please refer to coinmarketcap’s explanation, in which you can scroll down to the “How to Add Liquidity to Uniswap Liquidity Pool” section.
The reason we have chosen to return LP tokens instead of stablecoins is that these are the tokens we’ve been able to recover. We did not want to add any complexity or risk to the refund process. Even a Uniswap liquidity withdrawal and token swap from ETH into DAI is taking a choice away from the users in how their recovered assets are handled.
Conclusion & Moving Forward
We are once again grateful for the assistance we have received from KOLs in the blockchain community. We will soon announce our plan to reward this assistance in the coming days, and will continue working with our supporters and community to structure the most optimal plan for both the reimbursement of users, and the relaunch of the platform. We are committed to providing second order liquidity for financial products in the decentralized finance space — and believe our community members share this same vision. We understand recovering from a vulnerability like this isn’t easy, but we are thankful to have received the help we’ve received, and plan to take the necessary actions to restore confidence in Warp Finance.
In the coming days we will be releasing our Portal IOU token, details on NFTs, our future plans and roadmap, as well as detailed analyses regarding vulnerability identification.
We encourage active and healthy discussion as we move forward and recover from these events:
Twitter: https://twitter.com/warpfinance
Telegram: https://t.me/warpfinance
Discord: https://discord.gg/TYuz9yV
Website: https://warp.finance/
Reddit: https://www.reddit.com/r/warpfinance/
Github: https://github.com/warpfinance/
