DeFi platform robbed of nearly $15 million in hack

UPDATE: In a statement, Team Finance said an analysis of the incident showed that it began at 2 a.m. PT on Thursday morning.

The exploit allegedly targeted a function on the platform that had been audited by a "reputable" security firm and was "not due to any contract upgrade of Team Finance," the company claimed.

"We have temporarily paused new lock creation on the platform. We are currently working with several established security, audit, and blockchain investigation companies to assist with the remediation of this issue," the company said.

"We contacted the affected project teams and are keeping them updated regarding the next steps. We have reached out to the exploiter in an effort to discuss possible resolutions. The exploiter's wallet has been blacklisted on Etherscan, and exchanges have been contacted."

Team Finance spokesperson Brett Fabian told The Record that the person behind the incident has not responded yet to their messages. Fabian would not say how large of a bug bounty the hacker is being offered and explained that their plan to making victims whole is by "recovering the funds held by the hacker."

PREVIOUSLY: Decentralized finance platform Team Finance confirmed on Thursday that hackers exploited a vulnerability and stole $14.5 million worth of cryptocurrency. 

Several blockchain security companies alerted the company of the hack before it released a statement about the issue.

“We have just been alerted of an exploit on Team Finance. We are currently unsure of the details. We urge the exploiter to get in contact with us for a bounty payment. We are working to analyze and remedy the situation at this very moment,” the company said. 

“$14.5M USD of tokens were exploited through the audited v2 to v3 migration function. We have temporarily paused all activity through team finance until we are certain this exploit has been remedied. All funds currently on Team Finance are not at further risk of this exploit.”

$14.5M USD of tokens were exploited through the audited v2 to v3 migration function.

We have temporarily paused all activity through team finance until we are certain this exploit has been remedied.

All funds currently on Team Finance are not at further risk of this exploit.

— Team Finance (@TeamFinance_) October 27, 2022

Team Finance calls itself a "security toolkit for founders that want to create a token and raise money from a community of investors." The platform says it has secured $3 billion in cryptocurrency across 12 different blockchains since it was founded in 2020.

As backlash toward the platform grew online, the company took to Twitter to defend itself, writing that it was “deeply sorry” for the incident.

“We have multiple audits on each and every smart contract by reputable audit companies, and re-audit all new deployments. Actively looking into the exploit, and hopeful to get the funds back. We'll keep everyone updated by the minute,” they said. 

Blockchain security companies PeckShield, SlowMist and BlockSec broke down the specifics of the attack, with each noting that a problem with Team Finance’s code was the source of the issue. 

The attack comes eight days after $8 million was stolen from Moola Market and two weeks after Mango Markets had more than $100 million stolen from its platform. 

Nearly $2 billion worth of cryptocurrency has been stolen in 13 cross-chain bridge attacks, mostly in 2022, according to the blockchain research company Chainalysis, with more than $100 million stolen from companies like Binance, Ronin Network, Harmony and Wormhole.