By
Benjamin Njiri
April 23rd, 2024
While the exact specifics of how Warp recovered the funds are unknown, reports suggest the decentralized lending protocol was able to recoup the stolen funds.
Warp Finance, a decentralized finance (DeFi) lending protocol, announced on December 29 that the firm has recouped 75% of its funds in a flash loan attack last week. The lending protocol revealed that the firm lost $7.7 million in the attack and has now recovered only or about $5.85 million.
Warp also said that they lost the funds in USDC stable coins and DAI but recovered them in the form of ETH/DAI LP tokens including Uniswap liquidity provider tokens consisting of both DAI and ether deposits.
“The loan collateral has since been regained by the warp finance team,” Warp wrote in a medium post. The firm added that they were going to return the recovered users deposited funds to the affected users within the next 24 hours in a reimbursement plan. The funds will be distributed in proportional amounts of W-USDC and W-DAI held at the time of the flash loan attack. The post by the lending protocol also stated that the attack included multiple flash loans through dYdX, numerous occasions of flash liquidity as well as a series of flash swaps via Uniswap.
The DeFi lending protocol has announced that it plans to restore the entire investments of its users and will be giving out portal IOU tokens to each affected user. This could potentially allow users to gain a raise or profit in their funds deposited on the platform at the time of the attack. The firm again revealed that those IOU tokens were going to be distributed in the “coming days.”
Speaking on the decision to return to LP tokens, Warp explained that those were the tokens that the firm was able to regain instead of stablecoins. The firm also stated that they did not want to add any risk or complexity to the reimbursement process. Warp added that approximately $5.5 million were still “secured in the collateral vault.”
While the exact specifics of how Warp recovered the funds are unknown, reports suggest the decentralized lending protocol was able to recoup the stolen funds thanks to a decision to transfer admin rights of its smart contracts to one of its multiple externally-owned addresses. This action supposedly allowed the firm to execute the “LiquidateAccount” function and “liquidate the attacker’s position.”
Additional reports state that a 48-hour time lock on admin updates prevented the firm from using the “LiquidateAccount ” function right after the attack.
Warp is set to release details on NFTs, their Portal IOU token, “future plans and roadmap” alongside an explicit analysis with regards to vulnerability identification. The firm has stated that they understand the conditions surrounding their recovery from a vulnerability like this but are prepared to take the needed steps to restore the somewhat lost confidence in Warp Finance.