Fantom's DeFi Fantasm Finance (FSM) Exploited; $2.6 Million Lost

Another day, another DeFi hacked: the Fantasm Finance (FSM) team releases a post-mortem for its recent exploit.

Three chains, five assets: Fantasm Finance drained for $2.6 million

According to the official announcement shared by Fantasm Finance DeFi protocol, its mechanism was drained of $2,600,000 on March 9, 2022.

Dear Community, we have published a Post Mortem for the Fantasm Finance Exploit on 09 March 2022.

Please read the article below covering:
- What happened
- Forensic Analysis
- Repayment Plan and Proposed Steps
- Next Taskshttps://t.co/LNoJtoraO1$FSM $XFTM

— Fantasm Finance (@fantasm_finance) March 10, 2022

Per the post-mortem, the exploiters utilized BNB Chain, Fantom and Ethereum. The exploit itself was triggered by a previously unknown error in Fantasm's pool contract.

The contracts' devs missed the condition to check for the minimum amount of FTM injections required to mint XFTM, a synthetic asset of Fantasm.

This flaw allowed the attacker to mint XFTM tokens with only FSM and then exchange XFTM for FTM.

Repayment campaign starts on March 11, 2022

FTM tokens were swapped to Ethers; ETH were moved from the protocol via Celer Bridge. The total amount of losses nets approximately $2,622,097.

Today, on March 10, the attackers started to wash their loot through the Tornado Cash mixer.

#PeckShieldAlert 1,007 ETH into @TornadoCash from @fantasm_finance attacker. https://t.co/DPloeV6Mff pic.twitter.com/c3SEHJvV90

— PeckShieldAlert (@PeckShieldAlert) March 10, 2022

The Fantasm Finance (FSM) team decided to stop XFTM minting and initiate a repayment program. It is set to go live on March 11 at 9:00 a.m. UTC.

Related

Fri, 02/05/2021 - 12:04

Yearn.Finance (YFI) Targeted by "Flash Loan" Attack, $11,000,000 Drained

Vladislav Sopov

As covered by U.Today previously, numerous DeFis fell victim to flash loan attacks in Q1, 2022. Yearn.Finance (YFI) protocol lost $11,000,000 in early February.