$2 million stolen from DeFi protocol Revest Finance

Decentralized finance (DeFi) protocol Revest Finance said this weekend that $2 million was stolen through a vulnerability on their platform.

Early on Sunday morning, the company announced on Twitter that its Ethereum contracts suffered an exploit allowing hackers to steal BLOCKS, LYXe, ECO, and RENA tokens.

According to blockchain security company PeckShield, the hacker stole 7,699,999 ECO (about $100,000), 579  LYXe ($10,000), 714,999,999 BLOCKS ($1.7 million), and 352,835 RENA ($120,000). The BLOCKS DAO development team was the first to notify Revest of the incident.

Our Ethereum contracts have suffered an exploit; we've taken steps to secure the remaining funds across all chains. Our emergency response team has discovered the root cause and will explore further mitigation and recovery strategies in the morning. Thank you for your patience.

— Revest(@RevestFinance) March 27, 2022

“On March 27th, between 1:41 AM UTC and 2:22 AM UTC, roughly $2M worth of tokens were stolen from the Revest Protocol Token Vault. The first of these thefts were of 352,836 RenaSwap tokens worth $120,000 at the time of theft — these tokens remain in the hacker’s wallet, the only such tokens that have not been cashed out,” Revest CEO Rob Montgomery said in a post on Medium. 

“Following this first attack, the hacker moved on to stealing 715,000,000 BLOCKS DAO tokens, the illegal sale of which resulted in $1.7M of stolen Ether for the hacker. For BLOCKS DAO, this resulted in the reduction of their price by at least 76% and the theft of over 500 Ethereum from their Liquidity Pool. The hacker finally targeted EcoFi with the theft of 7,700,000 ECO tokens, resulting in the theft of $100,000. Smaller amounts of ConstitutionDAO and LUKSO were also stolen during this attack, netting roughly an additional $10-$12K.”

The hacker then swapped all of the tokens besides RENA for Ether and transferred it to crypto-anonymizer TornadoCash, which makes the transactions nearly impossible to trace.

Montgomery said Revest will not be able to recover the funds from the hackers and do not have the money to cover the losses suffered by victims using their platform. They also do not have DeFi insurance, according to Montgomery.

The company pledged to “make things as right as they can possibly be made” but said they “do not yet know what form these actions will take and must speak to the development teams of each impacted protocol on a case-by-case basis to best determine a path forwards for all impacted individuals.”

“This will be developed in the coming days, and we hope to have more specifics to share with you in the near future. Rest assured that you and your pain are not being overlooked, and that you will forever have a place in our community. We will assist in whatever capacity we are able,” Montgomery added. 

On Twitter, Revest said the security patch needed to prevent any future breaches is currently undergoing peer review and is expected to be deployed as soon as possible. The protocol will be brought back online and the unpausing of the $RVST token will be scheduled once the patch is in place, according to Revest. 

They also plan to hire other audit firms to examine their codebase. Montgomery called it a “highly sophisticated attack on a vulnerability that went unnoticed” during their Solidity.Finance audit “as well as the multiple peer-reviews to which we subjected our code.”

1/19): A staking DeFi project on Ethereum has been exploited on March 27th 2022.
We believe it's a classic single-contract re-entrancy attack. Here, we take an attack transaction(https://t.co/bnxvMwRpIe) as an example to illustrate the root cause.

— BlockSec (@BlockSecTeam) March 27, 2022

Several blockchain security companies released detailed blogs and technical Twitter threads explaining how the platform was exploited. 

PeckShield said the hack was made possible due to “missed reentrancy protection for the key functions of Revest.”

UPDATE: Revest Finance CEO Rob Montgomery contacted The Record to say the company has created a plan to reimburse those who lost funds in the attack. 

Montgomery said the company is planning to partner with blockchain firm Blocks on an NFT series.

The series is slated to drop in the next 4-6 weeks and Montgomery explained that the goal is to raise at least 700 Ether which will be used to pay back the entirety of the ~650 ETH that was stolen during the exploit. 

The company is coordinating the effort with the BLOCKS marketing team, community leaders from EcoFi, and the RENA team. 

"We're currently in the late-planning stages of an NFT-based raise. These NFTs will be verified by BLOCKS to ensure metadata point-of-origin and will benefit those impacted by the Revest Protocol exploit," Montgomery said.