ShadowFi Exploit Allows $300k Liquidity Drain, Massive Cryptocurrency Loss

Arslan Butt
Last updated: | 2 min read

ShadowFi tweeted about the cyber attack. Hackers made an attack on DeFi systems possible by a crypto-private effort known as ShadowFi. A prominent blockchain security firm, Peckshield, sounded the alarm and revealed the exploitation cost around $300,000.

In what way did the hack take place?

According to ShadowFi, an attacker drained its liquidity pool contract, leaving it with zero funds. Peckshield claims that the protocol was exploited due to flaws in the SDF token. Due to this vulnerability, anyone might burn the token without authorization. 

Peckshield added that the amount of money the hacker took was around $300 thousand, or 1,078 $BNB. The hacker was named NeorderDAO by the blockchain security company. A spokesperson for the company said the hacker’s name was found in the company’s internal database.

Significant Cryptocurrency Losses Caused by Tornado Cash Use

Peckshield claims that the hackers deposited the looted funds into Tornado Cash. Tornado Cash has caused more harm than good for the cryptocurrency sector. Criminals have sent funds from compromised systems using encryption software. 

Since 2019, the program has been used to launder almost $7 billion from numerous cryptocurrency exchanges. Even the notorious North Korean hacking gang Lazarus Gang has utilized Tornado Cash to transfer around $455 million. And hackers stole almost $96 million from Harmony Bridge using Tornado Cash. 

Similarly, Nomad was able to wire $7.8 million thanks to the privacy app. On September 1st, KyberSwap was the target of an attack that incurred damages of approximately $265,000. KyberSwap admitted the hack, although it said it was looking into what happened.

 After this, the corporation promised the hacker a 10% reward for recovering the looted funds. In the wake of the KyberSwap assault, hackers turned their attention to the ShadowFi DeFi protocol.

Because of its widespread abuse, the US Treasury’s Office of Foreign Assets Control (OFAC) outlawed Tornado Cash last month. The OFAC has voiced its disapproval of privacy-protecting programs’ role in the compromise of several crypto networks. Because of the ban, reputable websites had to stop hosting Tornado Cash. 

Despite the ban, hackers continue to utilize the program to transfer funds. Some in the bitcoin community were critical of the OFAC’s decision to prohibit Tornado Cash when it was first announced. Businesses that followed OFAC’s orders and ceased accepting Tornado Cash came under heavy criticism. 

However, the continued usage of the anonymizing app by cybercriminals has made the OFAC’s decision to ban it seem reasonable.

ShadowFi guarantees to solve the problem

More and more often, authorities and stakeholders in the bitcoin industry find themselves the victims of hacks on cryptocurrency exchanges. The US regulators included Tornado Cash in its ban to plug specific security holes that hackers exploit.

Nonetheless, Tornado continues to function despite the ban because the exploiter of ShadowFi’s most recent use of the crypto mixer has not yet been caught. Reports state that the exploiter traded about 8.4 SDF tokens for 1078 BNB before switching to Tornado.

ShadowFi, on the other hand, proves that the group is committed to working toward a solution that benefits customers. Users are asked to be patient while the issue is being worked on by the team, as per the protocol.