Team Finance Suffers $14.5 Million Security Breach

October 27, 2022

Summary #

Team Finance experienced a significant breach on the Ethereum blockchain during a migration process from Uniswap v2 to v3, resulting in the theft of approximately $14.5 million. The exploit was executed through vulnerabilities in the smart contract, facilitating unauthorized token transfers and manipulations of the Initialize price within the V3 liquidity pool.

Attackers #

The identity of the hackers who attacked Team Finance is unknown.

Hacker Ethereum Wallets:

Losses #

Team Finance lost approximately $14.5 million in total:

ETH: 880
DAI: 6,429,327
CAW: 74,613,657,704
TSUKA: 1,183,757

Timeline #

October 27, 2022, 07:22:35 AM UTC: The attacker deployed the attack contract and also generated “token A”.
October 27, 2022, 08:29:23 AM UTC: The malicious transaction was executed.
October 27, 2022, 04:21 PM UTC: Team Finance reported about the hack.
October 31, 2022: The attacker returns $7 million in stolen funds.
November 3, 2022: SlowMist, the blockchain security firm, published a hack analysis.

Security Failure Causes #

Smart Contract Vulnerability: The breach was facilitated by a smart contract vulnerability, where inadequate security checks allowed attackers to bypass safeguards during the token migration process. This included the manipulation of liquidity pool prices and the execution of unauthorized token transfers, leveraging the system’s weaknesses for substantial financial gain.

Market Health Metrics API

Benford's Law

Volume distribution analysis

Time-of-Trade

Buy/Sell Ratio

VWAP

Attack Types

Entity Types

Target Entities

51% Attacks

Custodian Attacks

Flash Loan Attacks

Lockout Scams

Phishing Attacks

Reentrancy Attacks

Rug Pull Scam