Polygon stablecoin Qi Dao exploited for $13M on Superfluid vested contract


Polygon’s native stablecoin protocol, Qi Dao, faced an exploit on its Superfluid vesting contract, which led to a 65% drop in the price of the governance token Qi Dao (QI). QI’s price fell from $1.24 to $0.18.

Qi Dao took to Twitter on Tuesday to acknowledge the exploit on the Superfluid vesting contract but assured that users’ funds are safe and no funds from Qi Dao have been affected. Superfluid also confirmed the exploit on Qi Dao and said it was investigating the situation and would update accordingly. The protocol enables users to move assets on-chain in a constant flow in real-time from one wallet to another.

While there was no impact on users’ funds, the hackers behind the attack managed to get away with $20 million worth of tokens including 24 Wrapped Ether (wETH), 562,000 USD Coin (USDC), 44,000 Stake DAO (SDT), 1.5 million Museum of Crypto Art (MOCA), 23,000 Stacker Ventures (STACK) and nearly 40,000 sdam3CRV. Early information suggests that the stolen funds belonged to some of the early backers of the project and included team-vested tokens as well.

Reported Hacker Wallet Activity Source: PolygonScan

Crypto analytic group SlowMist created a fund tracker with the balance of each token stolen. After analyzing the wallet transaction data, it estimated that the hackers managed to steal about $13 million worth of cryptocurrencies.

Hacker’s reported balance Source: SlowMist

The hackers behind the attack started dumping stolen Qi Dao on the QuickSwap decentralized exchange with high slippage, leading to a 65% decline in the price of the governance token. The Polygon community took the opportunity to buy the dip, which has already helped the governance token reach up to $0.6 after falling below $0.18. It is important to note that the exploit was carried out using a vulnerability in Superfluid, and Qi Dao wasn’t exploited.

Qi Dao had temporarily paused its bridge after the exploit and hoped to resolve the issue soon. The exploit comes within 24 hours of Polygons’ $450-million fundraise; however, the community showed immense support in the native stablecoin protocol and stressed that it was because of the third-party vulnerability rather than an issue with stablecoin protocol.