Funds routed through Tornado Cash as Goldfinch Finance user deltatiger.eth loses $330K

An identified user of the Ethereum-based DeFi platform Goldfinch Finance has suffered an exploit leading to losses of approximately $330,000, according to blockchain security platform PeckShield.

PeckShieldAlert reported on X Tuesday that Goldfinch user deltatiger.eth’s attacker had sent about 118 ETH to Tornado Cash after hacking an older smart contract on Ethereum.

The compromised contract, identified as 0x0689aa2234d06Ac0d04cdac874331d287aFA4B43, enabled the perpetrator to take control of deltatiger’s wallet and drain funds.

The vulnerability lay in the contract’s collectInterestRepayment() function, which can transfer USDC from any address granting approval. The attacker reportedly deposited 1,000 USDC and repeatedly withdrew funds after artificially inflating the share price.

PeckShield warned users to “revoke all approvals on the contract” immediately to prevent the hacker from stealing more tokens as they continued using the crypto mixer Tornado Cash to launder the stolen ones. 

There have been no updates from deltatiger and Goldfinch so far, and neither of the entities has disclosed if the attacker has communicated with them after the exploit took place at around 9:30 AM UTC today.

Goldfinch Finance’s decentralized lending method faulted

Goldfinch Finance is a decentralized finance (DeFi) protocol supported by major players in the crypto industry, including a16z Crypto and Coinbase Ventures. 

Much different from most crypto lending platforms, Goldfinch does not require borrowers to provide collateral. Instead, they can submit loan proposals for review by backers and auditors, which is then issued if proposals secure sufficient support. Liquidity providers, backers, and auditors earn interest as a reward, while borrowers access capital without posting collateral. 

The protocol went live on Ethereum in February 2021, issuing $1 million worth of loans initially. Version 1.1 launched a month later in March 2021, and Goldfinch raised $11 million in funding from Andreessen Horowitz months later. In October 2021, the platform partnered with Nexus Mutual, allowing Liquidity Providers and Backers to purchase smart contract insurance. 

According to Coingecko’s token terminal, Goldfinch protocol has a fully diluted market capitalization of $30.5 million, token trading volume of $12.4 million in the last 30 days, and active loans totaling $91.3 million.

In 2023, an East African motorbike finance company named Tugende Kenya defaulted on a $5 million crypto loan after allegedly providing an unauthorized loan to its Uganda-based parent company, which violated loan terms.

Warbler Labs, Goldfinch’s parent company, discovered Tugende Kenya had diverted almost $2 million to its parent firm. The breach was unveiled in December that year, but company records show it was reported on Goldfinch’s governance forum in February 2024.

Another default came in 2024 involving Singapore-based private credit firm Lend East, which said it could repay only about $4.25 million of a $10.15 million loan from the Goldfinch pool. The amount was 58% less than the repayment value and accounted for 7.7% of Goldfinch’s total active loans. 

The Lend East pool had a 25-month term, maturing on April 3, 2024, offering 17% USDC APY or 28% variable GFI APY. Discord community members alleged that $750,000 borrowed from Goldfinch was used to repay other borrowers, breaching the original loan agreement.

December welcomes DeFi protocols to losses from hacks

Goldfinch’s hack comes barely 24 hours after Yearn Finance’s yETH was hit by an unlimited minting breach, draining the entire yETH pool in a single transaction. According to Cryptopolitan’s report, attackers generated nearly infinite yETH tokens, extracting approximately 1,000 ETH, worth $3 million, which was then routed through Tornado Cash.

yETH is an index token based on several liquid-staked versions of ETH, known as Ethereum Liquid Staking Derivatives (LSTs). The exploit was flagged by X user Togbe, who noted “heavy transactions” on LSTs including Yearn, Rocket Pool, Origin, and Dinero.

Yearn Finance confirmed the incident through its official X account but assured users that V2 and V3 Vaults were secure. This is the second attack since 2021, when Yearn’s yDAI vault breach led to a $2.8 million loss, and a faulty script in December 2023 that wiped out 63% of a treasury position.

Blockchain security firm CertiK reported on Sunday that the crypto industry suffered estimated losses of $127 million from hacks and exploits in November. The company’s monthly threat report noted that actual affected funds exceeded $172 million, though approximately $45 million was later recovered.

Get $50 free to trade crypto when you sign up to Bybit now