DeFi protocol Cover exploited, attackers minted at least 40 quintillion tokens

Decentralized finance (DeFi) protocol Cover, which recently merged with Yearn.Finance, has just been exploited.

One of the attackers was able to mint 40 quintillion COVER tokens (worth about $11,826 quintillion at the time of writing) due to a bug in the protocol's smart contracts, according to The Block's research analyst Igor Igamberdiev. There could be more exploits due to the bug, said Igamberdiev.

The attackers have sold at least $5 million worth of COVER tokens at the time of writing. It remains to be seen whether they are able to liquidate more. In other words, whether they are able to convert COVER tokens into, say, bitcoin (BTC) or ether (ETH).

The price of the COVER token has fallen sharply since the attacks and is currently trading down by about 67% at around $227, according to CoinGecko.

In light of the attack, crypto exchange Binance has suspended COVER deposits, as well as trading for all COVER trading pairs. COVER withdrawals remain open at the exchange.

Update

Hours after the exploit, one of the attackers (Grap.finance) returned all the liquidated funds, i.e., about $3 million, to the Cover protocol. They converted COVER to ETH first to return the funds, with a message: "Next time, take care of your own shit." The attacker then burned the remaining minted COVER tokens, i.e., more than 40 quintillion. In other words, they only sold 72,900 COVER tokens using Uniswap and Sushiswap and burned the remaining ones.

It remains to be seen whether other attackers will also return the liquidated funds and burn the remaining minted tokens.

Cover said it is still investigating the incident. "The exploit is no longer possible. Please do NOT buy $COVER tokens, and remove your liquidity from the COVER/ETH pool on Sushiswap," it added. "CLAIM/NO CLAIM balancer pools are unaffected."

Cover developers and Yearn founder Andre Cronje did not respond to The Block's requests for comments by press time.