Shezmu, a decentralised DeFi yield protocol, enables users to mint stablecoins like ShezUSD by providing collateral. Shezmu suffered a significant breach where approximately $4.9 million worth of ShezUSD was stolen. The exploit occurred due to a flaw in the vault system, which allowed unauthorised minting of ShezUSD without the required collateral.
Behind the Breach
The hack was facilitated by a vulnerability in Shezmu’s vault, which allowed the attacker to mint ShezUSD without providing sufficient collateral. This led to a large quantity of ShezUSD being generated and borrowed. However, due to limited liquidity, the hacker could only cash out around $700,000. In response, Shezmu offered a 10% bounty for the return of the funds, which was later renegotiated to 20%. The hacker complied and began returning the stolen assets in batches, primarily in Ethereum and Wrapped Ether.
Lessons from the Incident
This breach underscores the importance of securing the minting process in decentralised protocols. The root cause was a vulnerability in Shezmu's collateral minting mechanism. Going forward, Shezmu and other DeFi projects could mitigate similar risks by implementing the following measures:
Comprehensive Audits: Regular, thorough security audits to identify and patch vulnerabilities in smart contracts.
Improved Collateral Monitoring: Ensuring collateralisation is verified using robust, decentralised oracle systems.
Automated Alerts and Limits: Implementing automated transaction limits and real-time alerts for unusual minting behaviour.
Rivanorth is a boutique Web3 cybersecurity company. We specialise in smart contract audits and 360 degree security services for Web3. Visit rivanorth.com to find out more.
You build the future. We help you secure it.