Typically, crypto hacks are straightforward enough: find a vulnerability in a project or its code, exploit it, and profit. Last week, a hacker somehow screwed up the third step and after swiping $1 million worth of crypto left it permanently inaccessible.
The target was ZEED DeFi protocol, which runs on the Binance Smart Chain and describes itself as “an autonomous decentralized financial integrated ecosystem,” through its YEED token used in lending agreements. The attacker exploited a loophole in YEED’s token contract that allowed them to extract extra tokens rewarded to YEED liquidity providers, as DeFi security firm BlockSec explained on Twitter. After using this exploit, they sold their outsized rewards and consequently crashed YEED’s price to zero.
The attacker transferred the profits to the attack contract, but quickly called the contract’s self-destruct function, permanently preventing the tokens from ever being moved and effectively “burning” them, in crypto parlance. BlockSec speculated they were “too excited,” but there’s no way to know at this point, and it’s possible they were simply Jokerfied.
“In the principle of decentralization, openness, transparency, and autonomy, YEED have prepared an emergency solution for this attack,” ZEED wrote in a Medium post after the attack. “The execution of the solution will be on a daily basis to be overseen by the YEED community.”
ZEED offered a rough solution timeline that includes repairing, testing, and auditing the smart contract, as well as tracing back data and eventually relaunching the YEED token for trading by April 30. In the meantime, trading and withdrawals have been halted.
In the wake of a crypto hack, it’s common for hackers to either sit on their ill-gotten gains as they try to negotiate with victims, or cash out with a mixing service. But locking those funds away forever is pretty novel. Maybe they had a point to prove, or maybe some people just want to see the crypto world burn.