Swerve Finance, a defunct Curve Finance clone, is still in the midst of a live governance exploit to steal $1.3 million in stablecoins, which is viewable on-chain, and details may have emerged unmasking the alleged exploiter behind the attack.
To summarize, someone has attempted to launch a governance attack against Swerve Finance. A governance attack occurs when a hacker gains enough voting power to carry out proposals designed to steal tokens from a protocol. The attack on Swerve Finance has been ongoing for more than a week.
The governance attack began with an address owned by an entity we’ll refer to as “Exploiter A” for the purposes of this article. This address accomplished this by submitting two proposals to the attacker’s contract to transfer ownership of Swerve’s remaining funds (worth $1.3 million). The exploiter attempted to launch this attack using 348,000 Swerve governance tokens but was unsuccessful. This is because the attacker lacked the required 51% token ownership to pass the proposal.
On-chain data show exploiter A requesting help from another address, which we’ll refer to as “Exploiter B.” With 102,000 Swerve governance tokens, this new entity quickly began voting on the proposal. These two entities’ combined voting power is still insufficient to pass the malicious governance proposal.
Igor Igamberdiev, Wintermute’s Head of Research, believes he has uncovered the exploiter’s identity. Igamberdiev provided a trail of on-chain evidence that linked to a specific individual, including transactions routed through the sanctioned crypto mixer Tornado Cash. The analysis connects this individual’s wallet addresses to the Exploiters A and B who carried out the governance attack.
“Timing is the usual heuristic to connect deposits and withdrawals,” Igamberdiev said. In this context, timing refers to the numerous instances where deposits and withdrawals associated with the individual and the two exploiter addresses appear to be linked.
As of the time of publication, the alleged exploiter had not responded to The Block’s comments.
According to Igamberdiev, the exploiter still has time to stop the attack. “Instead, it’s possible to assist the community in protecting Swerve from future attacks, such as transferring ownership to the null address,” Igamberdiev tweeted.
