• On June 26, Chibi Finance was exploited and $1 million worth of cryptocurrency was drained from its contracts.
• CertiK has produced a detailed report analyzing how the attack occurred and what users can do to protect themselves in the future.
• The attack exploited a loophole in eight different contracts used in the Chibi Finance protocol.

Chibi Finance Alleged Rug Pull

On June 26, decentralized finance (DeFi) aggregator Chibi Finance was allegedly exploited by its own deployer account, and $1 million worth of cryptocurrency was drained from its contracts in an apparent rug pull or exit scam. The price of the Chibi Finance (CHIBI) governance token fell by over 90% as the news broke.

How It Happened

The exploiter used a “panic” function buried within eight different smart contracts to remove $1 million worth of users’ funds without their permission. After the funds were drained, they were swapped for Wrapped Ether (WETH) and bridged to Ethereum, where they were afterward sent to Tornado Cash by the attacker.

Analysis

CertiK has produced a detailed report after investigating the incident. When combined with blockchain data, this report can shed light on how the attack occurred and what users can do to protect themselves against similar attacks or scams in the future.

Chibi Finance App Overview

Before its user interface went offline, Chibi described itself as “the most popular yield aggregator on Arbitrum” claiming to allow users to gain yield from across the Arbitrum ecosystem. On June 21, Chibi announced it had achieved $500,000 in Total Value Locked (TVL). At that time it had a goal to reach $1 million which seemed possible once listed on CoinGecko shortly before being exploited by its own deployer account resulting in investors losing over $1 million worth of crypto money through an alleged rug pull or exit scam.

Contracts Exploited

The attack exploited a loophole in eight different contracts used in the Chibi Finance protocol which were forked from other projects and not audited thoroughly leaving them open for exploitation allowing attackers access into user wallets leading to loss of funds without their knowledge or consent.