Illuvium, the Australian GameFi project that rocketed to a multi-billion valuation in 2021, is taking drastic measures to protect its investors’ staking rewards.
What is Illuvium?
GameFi, the combination of blockchain games with DeFi elements, has taken the crypto world by storm in 2021. Illuvium, an Australian project launched by the Warwick brothers, is one of the most promising projects in this space. The game resembles Axie Infinity; another major GameFi hit that brought elements of collector’s games like Pokemon to the blockchain.
In 2021, the hype around Illuvium got so massive that the project surged to a multi-billion dollar valuation despite its actual game not even being on the market. For now, investors can only stake ILV, its native token, in preparation for the game.
The security exploit
However, Illuvium recently discovered a flaw in its staking platform that could have led to an attacker cashing out all the funds from its Uniswap staking pool. In a drastic move to protect investor funds, Illuvium itself drained its Uniswap pool and prevented a hostile party from taking such an action. The team explained the course of action on its Twitter account, stating that it is “purely a protection mechanism for the DAO.”
As a record of transactions on the Ethereum blockchain shows, several addresses with custom contracts had been depositing ILV into the pool and withdrawing a greater sum of sILV, staked ILV, before this should be possible. This suspicious behaviour had been dating back to November, which is why the Illuvium team opted to “nuke” its own pool in order to protect honest investors.
Aaron Warwick, one of the brothers behind the project, also addressed this measure on the Discord server. He explained that the team has a “backstop multisig that is able to mint in extreme circumstances.” This multi-signature wallet was used to mint new tokens, which rendered the old sILV worthless, thereby dispossessing both investors and the hacker of their sILV.
Compensation plans are already underway for Illuvium, as the team is waiting for a snapshot of true owners of staked ILV to reimburse them.
2022 hack season has begun
This marks the first hacking attempt of the new year, following an eventful 2021 for crypto hackers. One of its favourite targets, Cream Finance, got shaken down several times, with the biggest hack draining its smart contracts for over 130 million. Bitmarket, a crypto exchange, lost 275 million due to stolen private keys.
Some projects such as Polygon, on the other hand, are luckier. The layer-two solution had a white hat hacker (as ethical hackers cooperating with protocols are called) save it from a potential 850 million exploit.
While drastic and unexpected, the reaction by Illuvium was the correct one and a good example of vigilance by a team interested in protecting its investors. However, that hacking attempt will not remain the last one, and crypto investors should be alert to it. Don’t expect every protocol to react as proactively as Illuvium.