The decentralized finance industry, or as more popularly known as DeFi, has become a haven for illicit actors lurking around the corner to prey on minute vulnerabilities. This time, it was one tiny exploit in a contract that led to scores of setbacks that did not just impact one DeFi token. Here’s what’s happened.
The latest event surrounding Iron Finance has already being heralded as the biggest DeFi robbery and elaborate rug pull. Its native token, TITAN has bottomed out after reeling close to zero. Prior to the downfall, it was trading close to $65 on Wednesday.
Besides, there are many in the community who have speculated that the interest from the television personality and billionaire investor Mark Cuban has only added to its woes as individuals identified his DeFi wallet and alleged him to be the sole provider of TITAN/Dai on Polygon chain.
The fall of the TITAN
At the time of writing, Iron Titanium token was exchanging hands at $0.000000067 and was positioned as the second-biggest loser according to CoinGecko’s stats. The abrupt downturn from TITAN holders has also crashed Iron Finance’s total value locked [TVL] which dropped below $244 million. Just two days ago, the figures had hit $2 billion.
This was enough to send the liquidity of the ecosystem crash to a new low as well as depicted by the image below.
Here’s what Iron Finance had to say about the whole incident, what they described as a “bank run,”
“Dear community, please withdraw liquidity from all pools, as soon as we have a better understanding of this bank run.”
A DeFi community member, Ariah Klages-Mundt, also went on to affirm that the under-collateralized-by-design stablecoin, is facing a bank run on its algorithmic/TITAN portion. This mirrored PegsUSD and Dollar Protocol before it as well as last month’s Terra incident. It was this bank run that was, in fact, “self-reinforcing” with the sharp crash of the price of the TITAN token that “implicitly backs the algorithmic portion.”
TITAN is essentially held by Iron Finance. In May 2021, the platform has started bridging to Polygon’s chain. The main aim of this move was to leverage the latter’s efficiency and low transaction fees.
It tried to initiate a partially collateralized stablecoin, dubbed, IRON, which comprises of p2p payment infrastructure provider, Circle and crypto exchange, Coinbase’s USDC along with TITAN. IRON was pegged to $1. IRON enabled users to mint new stablecoins via a system on Iron Finance’s network wherein they were required to lock up 25% in TITAN token in addition to 75% in USDC stablecoin.
TITAN’s dramatic fall on Wednesday led to an unstable peg with IRON which, in turn, triggered the latter’s value ultimately resulting in a massive dump and its price spiraling to $0.00
But there’s more to this story.
The ripple Effect
TITAN wasn’t the only one that was impacted. So what exactly happened? In the late hours of the 16th of June, several native farm tokens were exploited all the way to zero These were CaramelSwap, YBear, KetchupSwap, Lokum, GoCerberus, Piggy, and Garuda.
According to CoinGecko’s loser list, Ketchup and GoCerberus were worth $0.00 while CaramelSwap also lost 44% of its value.
It all started with an exploit contract called a MasterChef. Well, not a master anymore. This contract is leveraged by a lot of yield farms. It is even used by Binance Smart Chain-based giant PancakeSwap to distribute incentives. However, there lies a big problem with this “trusted” contract. MasterChef, in reality, was never designed with the intention to apply for all these special tokens. Originally, the contract’s main objective was to receive rewards for LP tokens.
However, as the yield farming craze intensified last DeFi summer, it began the addition of non-LP tokens as well. Even then, everything ran smoothly until recently tokens with a transfer fee heated up. Most of these tokens comprise a transfer fee as well for the purpose of their tokenomics. But that is not what MasterChef is designed for.
Along the same line, Thoreum Finance explained,
“Due to the design of the masterchef if you stake 100 tokens (with a 5% transaction fee) in a MasterChef, you are still able to withdraw 100 tokens from the MasterChef. But due to the transfer fee, only 95 tokens actually arrived in the contract.”
The platform soon realized that this could very well transpire with their native GoCerberus, and hence went on to revamp the MasterChef in a bid to eliminate the transaction fee from the balance, hence dodging the issue altogether. However, Thoreum was not able to implement this code in its non-native pools. But this did not bother much since the non-native tokens did not possess a fee, except for the Garuda token.
On the same day, Thoreum observed that the Garuda pool was shrinking and a few users were unable to withdraw. As a preemptive measure, the platform disabled depositing to this pool and started working on a compensation plan after realizing that it could be the transaction fees messing up the process. However, what they did not know was that the fact that it could be escalated to a point of being exploited.
If you found this article interesting, here you can find more DeFi News
