In an unexpected turn of events, an anonymous exploiter manipulated a hidden “panic” feature nestled within eight various smart contracts to unlawfully withdraw a staggering $1 million from users’ wallets, leaving them in the lurch.

The date, June 26, marked a devastating hit to the Decentralized Finance (DeFi) platform Chibi Finance, victimized by its very own deployer account in what appears to be a rug pull or exit scam. An astounding $1 million worth of cryptocurrency was siphoned from the platform’s smart contracts. The public face of the protocol vanished into thin air as the official UI rendered a 404 error while their social media presence went dark. Following the removal of funds, these assets were converted into Wrapped Ether (WETH) and transferred to Ethereum, ultimately landing in the attacker’s Tornado Cash account.

The ripple effect of this incident led to the dramatic nosedive of the Chibi Finance (CHIBI) governance token price, plummeting by over 90% at the shock of the news.

In the ideal world of DeFi, rug pulls shouldn’t be feasible. DeFi platforms inherently run on decentralized infrastructure, and so it would seem impossible for the application’s creator to abscond with users’ crypto or cash. However, this incident challenges that notion and calls for an in-depth exploration of the mechanics behind the alleged scam.

CertiK, a reputed blockchain security firm, conducted a thorough probe of the incident. Their report, in combination with the blockchain data, can provide critical insights into the nature of the attack and offer guidance on how users can safeguard themselves from similar exploits in the future.

Prior to going off-grid, Chibi presented itself as “the preeminent yield aggregator on Arbitrum.” It boasted of providing users with yield from the diverse Arbitrum ecosystem. Chibi Finance had been on a steady growth trajectory, as measured in Total Value Locked (TVL), since its inception in April. On June 21, it announced a milestone of $500,000 in TVL and set its sight on hitting $1 million. Coinciding with its listing on CoinGecko on June 26, which offered it more visibility, Chibi appeared to have reached its ambitious goal. However, this milestone was short-lived as the tokens were drained from its contracts shortly after, resulting in user losses exceeding $1 million.

This audacious assault exploited a vulnerability present in eight distinct contracts employed by the Chibi Finance protocol. Many of these contracts were adapted from other projects and not exclusive to Chibi. Notably, the StrategyAave.sol at Arbitrum address 0x45E8a9BA6Fcd612a30ae186F3Cc93d78Be3E7d8d and StrategySushiSwap.sol contract at 0x9458Ea03af408cED1d919C8866a97FB35D06Aae0 are commonly used in various DeFi aggregator applications.

An integral part of the attacker’s strategy was the utilization of the “panic” function hidden within some of the contracts employed by Chibi Finance. The function, when triggered, would allow the withdrawal of all tokens from a pool to a specific address. However, this action should have been executable only by the end-user. Regrettably, the panic function lacked this stipulation. In the Chibi Finance contract, it was labeled as an “onlyGov” function, suggesting that it was only accessible by an administrator, not by any user. The attacker capitalised on this loophole to execute their devious plan.

CertiK’s investigative report lays out a step-by-step account of how the attack unfolded. From the extraction of 10 Ether ETH $1,955 from Tornado Cash by the Ethereum username Shadowout.eth to the creation of a malicious contract at address 0xb61222189b240be3da072898eda7db58b00fd6ee. This led to the transfer of governance rights of the eight Chibi Finance contracts to the rogue contract, which then activated the “panic” feature on each contract, draining over $1 million worth of investor funds.

It’s evident that this incident underscores the lurking hazards of centralization within the Web3 space. The complexity of smart contract codes means most users may not be equipped to detect potential security flaws. CertiK posits that while the Chibi Finance incident is a lesson in the risks of centralization, users are encouraged to review an app’s published audits before use.

Though Chibi Finance purported to have been audited by blockchain security firm SolidProof, the details of this alleged audit are not accessible, as the project’s GitHub has been taken offline. It remains uncertain whether the audit disclosed the potential risks posed by the “panic” function or if an audit took place at all.

Regrettably, rug pulls or exit scams have become an all-too-common menace in the DeFi landscape. Blockchain security firm Beosin disclosed that rug pulls resulted in a staggering loss of over $45 million in May alone, outstripping regular DeFi exploits.