Post-Mortem for vVISR staking contract exploit and upcoming migration

Visor Finance
Visor Finance
Published in
2 min readDec 21, 2021

--

When we suffered an exploit previously in our guarded launch we replaced users funds; this time will be no different as we are restoring VISR holders and vVISR stakers. We have outlined a remedy below which will be swift. Thank you for the continued support as we work though this.

The Exploit

On December 21st 2021 02:29:11 PM UTC a malicious contract drained Visor Finance’s staking contract of 8,812,958 VISR tokens. The attack was made possible by implementing the IVisor delegateTransferERC20 interface and calling the staking contract’s withdraw function with the desired VISR amount. Dependence on arbitrary IVisor delegateTransferERC20 implementation by caller allowed for the attack to take place.

There was a secondary migration contract used for our ENS-ETH vault that also took advantage of the same IVisor delegateTransferERC20 exploit. Funds will be reimbursed.

The Solution

The staking contract should not rely on a user provided contract to implement the required transfer function. The staking contract should instead rely on a fixed transfer implementation such as ERC20.transferFrom. We are engaged with both Quantstamp and ConsenSys Diligence for December and January audits and this new staking contract will be included.

The New Token

Launching a new token that replaces the old one is confusing if the ticker stays the same. What we have opted to do is replace the old VISR token ticker symbol with the new one. All tokenomics will stay the same and there will be a redemption (from the time of the snapshot) of 1:1 with the new token, including those staked in the vVISR contract and the those staked in Tokemak. We have already begun the process of listing the new token on various registries in order to make sure the new token is visible and recognized by dexes and wallets starting day one. No one should buy VISR as it will not be redeemable for the new token.

Liquidity

Before the exploit there was liquidity provided both on Uniswap v2 and Uniswap v3. The exact same amount of ETH and tokens will be placed in liquidity positions immediately after the new token and the token migration contract is deployed.

Questions?

If you made trades after the snapshot or were a liquidity provider of VISR-ETH please reach out to a team member on discord and we will resolve any issues you had.

--

--

Visor Finance
Visor Finance

The DeFi protocol for Active Liquidity Management. Building on 🦄 v3.