Reports showed the attackers exploited the system by borrowing funds using a flash loan, a form of unsecured lending. After this, the attackers used inflated values to drain all the liquidity from the affected Quickswap pool. Stolen tokens, including MATIC, were exchanged for other tokens on Tornado Cash.
Quickswap made the announcement with a Tweet from its official Twitter account, and warned users of the attack, which was aimed at the vulnerability of the Curve Oracle,
Flash Loans are a feature provided by DeFI platforms and do not necessitate collateral from the borrower as long as the loan is paid back in the same transaction.
Originally, the DeFi platform had pinned the vulnerability on the Market XYZ protocol, which it said, used a faulty Oracle from DeFi protocol curve and Stable issuer QiDao. However, QiDao has said the vulnerability is unrelated to their smart contracts.
Oracles are protocols that search data from external sources and feed the information to different blockchains in need of them. While Quickswap said it would release an updated report, none has been released as of the time of writing.
Blockchain Security firm, PeckShield released a report of the exploit sometime later, reporting how the attackers used Tornado cash to hide the origin of the funds, according to Etherscan data
Quickswapo is a fork of Uniswap, one of the leading AMM DEXes in the crypto space but unlike Uniswap, Quickswap does not run on Ethereum, but on Polygon. This attack has been one of many in the month of October alone.