Midas Capital Pool Exploited for $600k

Midas Capital has paused all its pools after suffering an exploit in one of its pools. Blockchain security firm PeckShield reported that the exploit led to a loss of over $600,000.

DeFi lending and borrowing platform Midas Capital confirmed that the incident did not affect any other pool. The multichain DeFi protocol added that it preemptively paused its pool for further investigation and has contacted the authorities.

The protocol did not provide further information on the amount that was stolen or how it was exploited.

Over $600k Lost to Midas Capital Exploit

In a June 17 tweet, Peckshield stated that over $600,000 was stolen and the root cause of the exploit was a rounding issue in its lending protocol. The exploited Midas Capital lending protocol was forked from Compound Finance V2.

The same vulnerability was previously exploited on the Hundred Finance protocol in April. At the time, Hundred Finance lost about $7 million as the hacker manipulated the price of tokens to drain its lending pools.

Meanwhile, Peckshield noted that the exploiter was already moving the stolen funds, transferring 510 BNB to Tornado Cash.

Another blockchain security firm Certik corroborated the exploit, adding that the DeFi platform suffered a flash loan attack. CertiK said the hacker moved 400 BNB into the crypto mixer while some other gains were bridged to Ethereum.

Second Attack in 6 Months

Meanwhile, this is not the first time Midas Capital has been hacked. Its Jarvis Polygon pool was exploited with a flash loan attack in January 2023, with a hacker stealing $660,000 worth of MATIC tokens. At the time, BeInCrypto reported that Midas offered the hacker a bounty if they chose to return the funds.

DeFi exploits continue to haunt the market, with several crypto projects losing millions to malicious players. Since the beginning of the year, DeFillama data shows that nearly $400 million have been lost to different attacks, including over $100 million lost to the Atomic Wallet breach.