Visor Finance
Published in

Visor Finance

Post-Mortem for vVISR staking contract exploit and upcoming migration

When we suffered an exploit previously in our guarded launch we replaced users funds; this time will be no different as we are restoring VISR holders and vVISR stakers. We have outlined a remedy below which will be swift. Thank you for the continued support as we work though this.

The Exploit

On December 21st 2021 02:29:11 PM UTC a malicious contract drained Visor Finance’s staking contract of 8,812,958 VISR tokens. The attack was made possible by implementing the IVisor delegateTransferERC20 interface and calling the staking contract’s withdraw function with the desired VISR amount. Dependence on arbitrary IVisor delegateTransferERC20 implementation by caller allowed for the attack to take place.

There was a secondary migration contract used for our ENS-ETH vault that also took advantage of the same IVisor delegateTransferERC20 exploit. Funds will be reimbursed.

The Solution

The staking contract should not rely on a user provided contract to implement the required transfer function. The staking contract should instead rely on a fixed transfer implementation such as ERC20.transferFrom. We are engaged with both Quantstamp and ConsenSys Diligence for December and January audits and this new staking contract will be included.

The New Token

Launching a new token that replaces the old one is confusing if the ticker stays the same. What we have opted to do is replace the old VISR token ticker symbol with the new one. All tokenomics will stay the same and there will be a redemption (from the time of the snapshot) of 1:1 with the new token, including those staked in the vVISR contract and the those staked in Tokemak. We have already begun the process of listing the new token on various registries in order to make sure the new token is visible and recognized by dexes and wallets starting day one. No one should buy VISR as it will not be redeemable for the new token.

Liquidity

Before the exploit there was liquidity provided both on Uniswap v2 and Uniswap v3. The exact same amount of ETH and tokens will be placed in liquidity positions immediately after the new token and the token migration contract is deployed.

Questions?

If you made trades after the snapshot or were a liquidity provider of VISR-ETH please reach out to a team member on discord and we will resolve any issues you had.

--

--

--

The DeFi protocol for Active Liquidity Management. Building on 🦄 v3.

Recommended from Medium

Is Google Spying on Our Gadgets? Now I’ll try to prove…

NFT Avatar Update: Change Your Profile Pic to a Verifiable NFT

Internet Identity Workshop XXVIII and Me being part of it.

{UPDATE} Pack Master Hack Free Resources Generator

Is It Paranoid to Use Encrypted Messaging?

Cybercriminals are stealing your stimulus payments!

Is Let’s Encrypt an Effective SSL Solution?

Website Malware & Virus Scanning Tools

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Visor Finance

Visor Finance

The DeFi protocol for Active Liquidity Management. Building on 🦄 v3.

More from Medium

YFI — Reborn As A Black Hole

Hello World — Abachi in Numbers

The Ones in the Arena: Maple Finance

A gigantic wolf stomps, Godzilla-like, through a city with surreal, pancake-stack buildings and mountains in the distance. The wolf is breathing fire and carries a carafe of syrup in one paw, and a fork spearing a slice of bacon in the other. Basquiat-style spikes run down its back, and line its mouth with pointy teeth.

Bumper partners with Visor for management of BUMP-ETH liquidity on Uniswap v3