Astrid, the Ethereum liquidity re-pledge pool, disclosed through a document on the X platform that its smart contract has been exploited due to a flaw in the withdrawal function. In response to the cyber attack, Astrid temporarily suspended the smart contract, took a snapshot of all the holders at the time of the attack, and has reportedly provided full compensation for users affected.
In a detailed breakdown of the attack, trading browser Phalcon stated that the culprit was able to manipulate the parameters of the withdraw() function i.e., the token address and token amount. The attacker executed the following steps:
1. They created three counterfeit tokens labeled as A, B, and C.
2. Using counterfeit token A, they withdrew cash and received stETH.
3. They then used counterfeit token B to withdraw money and receive rETH.
4. With counterfeit token C, they withdrew cash and received cbETH.
5. Finally, they converted stETH, rETH, cbETH into ETH.
The issue has called attention to the ongoing cyber-attack risks associated with DeFi platforms, which manage billions of dollars in users' assets. The platform published a statistical table displaying the details of user and liquidity provider compensation (excluding deposits from internal teams). According to an update by Astrid, the liquidity providers received compensation in the form of staked ETH tokens.
Astrid confirmed that all user losses have been fully reimbursed, and the smart contract remains suspended for the time being as investigations and rectifications continue. This event marks a stern reminder of the importance of thorough smart contract auditing and security in the DeFi space.
