Vestra DAO appears to have been hacked. On-chain analysts noted suspicious activity where VSTR tokens, the protocol’s native ERC-20 token, were being moved from available smart contracts and immediately sent to the Tornado mixer.
At least $480K worth of tokens had been stolen at the time of the reports. While the initial attack was relatively small, the risk remained for other participants. On-chain researcher Chaofan Shou first noted the exploit, advising all users to withdraw permissions.
Vestra DAO @Vestra_DAO is hacked just now and still ongoing. $480K loss already and more to come. Withdraw your stake and pull liquidity immediately. pic.twitter.com/0b9i1lhrEw
— Chaofan Shou (@shoucccc) December 4, 2024
The exploit has affected the VSTR token staking contract, with the funds immediately liquidated and sent to the Tornado mixer. For VSTR, more than 65% of the tokens are locked for governance, with over 34B tokens.
The affected smart contract holds the remaining 755M VSTR tokens, making up 1.51% of the total supply. Despite the attack against a relatively small token, the subsequent market crash erased even more value from the project. For now, Vestra DAO may have enough VSTR in its reserves to compensate users, while trying to repair its reputational damage.
Exploiter waited for a month before exploiting a contract logic flaw
The exploiter sold in a rush, paying 0.51 ETH to Beaverbuild for priority inclusion in a block. Vestra DAO’s locked staking contract was affected, directly sending out VSTR tokens.
For hours, the exploiter sent out spam transactions for 520K or 500K VSTR to the contract, in the end, trading $480K in total. The attack exploited a logic flaw in the contract, which allowed the hacker to receive 20,000 VSTR after each transaction.
On-chain analysis showed that the attacker first staked VSTR to the contract 30 days ago, lurking and studying the contract’s flaw. Then, the automated series of transactions started extracting VSTR with each iteration of staking and unstaking.
The data checks on every deposit and withdrawal did not trigger any warnings, allowing the attacker to drain the contract over multiple deposit and withdrawal transactions. The contract checked the maturity only once, but the hacker had completed the requirement by staking 30 days ago.
The result of the exploit was a haul of 125 ETH, which was mixed through Tornado Cash. The attacker spent $40K on Ethereum gas for the fastest possible swaps, briefly becoming the biggest gas user on the chain.
Vestra DAO has not issued the specifics of the attack and claimed user funds remained unaffected. However, the contract was drained of its VSTR tokens, clearly taking value from the project.
VSTR tokens hacked a month after trading launch
Vestra DAO is a relatively new project, with VSTR tokens trading since November 6. The token is only available in a Uniswap V3 trading pair.
The DAO ran its very first proposal on October 14, and it was tied to selling 1B tokens from the project’s treasury. The VSTR token still has only 1,643 holders, adding to the limited effect of the hack.
The token immediately crashed after the attack, from $0.013 to $0.005. Later, VSTR inched up to $0.009 but remains extremely illiquid and volatile. In addition to the direct loss, VSTR also wiped out half its market capitalization.
At this point, VSTR may be even riskier than early-stage meme tokens. The biggest risk is that VSTR tokens only have $1.9M in liquidity, which is not locked and can be further exploited via a rug pull.
The other risk for the project is that its contracts invoke functions from external smart contracts, leading to a general warning on CoinGecko. Vestra DAO claimed it had blacklisted its staking contract, but it is unknown if similar vulnerabilities exist for other smart contracts.
Even for audited projects, smart contracts may not always be entirely secure and may hold exploit possibilities. In the case of the VestraDAO, the early-stage project may recover and boost its reliability.
Vestra DAO appealed to the Turkish crypto community, one of the most active groups of early adopters. The VSTR token even had a conversion price into Turkish lira.
From Zero to Web3 Pro: Your 90-Day Career Launch Plan