Cyber Incident Victim: Avalanche
Date:
Sep 2022
Location:
United States of America
Summary
An attacker exploited a vulnerability in the CauldronV2 smart contract on the Avalanche blockchain through a flash loan attack, stealing $370,000 worth of USDC stablecoins and causing $500,000 in NXUSD bad debt for the Nereus Finance lending protocol. The attack involved manipulating the AVAX/USDC exchange rate using a $51 million flash loan, impacting liquidity providers across Nereus, Trader Joe, and Curve Finance. The victim paused the exploited market, fixed the vulnerability, and covered the debt using internal funds while offering a 20% reward for the stolen assets' return. The attacker transferred the funds from Avalanche to Ethereum, with the incident attributed solely to the smart contract's flaw rather than the underlying blockchain network.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On September 7, 2022, an attacker exploited a vulnerability in the CauldronV2 smart contract on the Avalanche blockchain, stealing approximately $370,000 worth of USDC stablecoins through a flash loan attack. The attacker utilized a $51 million flash loan to manipulate the exchange rate of the AVAX/USDC liquidity pool on decentralized exchange Trader Joe, artificially inflating the value of collateral deposited into Nereus Finance’s lending protocol. This manipulation enabled the attacker to mint 998,000 NXUSD stablecoins against only $508,000 worth of collateral, creating $500,000 in bad debt for Nereus Finance. Blockchain security firm CertiK confirmed the attack vector, noting that the exploit impacted multiple liquidity providers across Nereus Finance, Trader Joe, and automated market maker Curve Finance, all operating on the Avalanche network. The incident specifically targeted Nereus’ AVAX/USDC Joe LP NXUSD market, where the protocol’s USD-pegged stablecoin (NXUSD) was minted. Nereus Finance paused the exploited market immediately after detection and initiated a recovery process, though it declined to disclose specific detection timelines or technical details to investigators.
Nereus Finance engaged security experts, including PeckShield, to investigate the breach and develop mitigation measures. The company used its own funds to cover the $500,000 bad debt, repaired the smart contract vulnerability, and notified law enforcement authorities. Nereus publicly offered the attacker a 20% "no questions asked" reward—approximately $74,000—for returning the stolen funds, while continuing efforts to trace the thief. On-chain data from Avalanche explorer Snowtrace.io, cited by Uphold Inc.’s research head Martin Hiesboeck, indicated the attacker transferred the stolen assets from Avalanche to the Ethereum blockchain. Avalanche representatives emphasized the incident stemmed solely from the CauldronV2 smart contract flaw, comparing it to an application-level failure rather than a network-level vulnerability. Nereus stated no user funds were compromised outside the exploited market and announced plans to enhance audit protocols and risk mitigation strategies amid ongoing expansion efforts.