BooFinance: Trader Joe’s Exploited Fishbowl and Coverup

Into the Void

We’re going to be shining a light into Trader Joe’s wrongdoings. This will undoubtedly ruffle some feathers and make some people uncomfortable. It is a topic that merits serious discussion from all sides. How do we prevent greed and self-interest from stifling DeFi’s continued development?

Our Community has grown massively since announcing our Vampire Attack on Trader Joe. We’ve managed to garner support from all sectors of Avalanche. Many have tried to censor us and misinform others about our movement.

Following Their Tracks

DeFi is not new to hacks and exploits. Protocols and projects get hacked all the time and it’s not a surprise. The industry is in such early stages that bugs and hacks are to be expected. It's how a team handles those situations that tells you about their integrity.

Trader Joe’s Team comes from Traditional Finance. They’ve had great success within DeFi, but that doesn’t necessarily translate into a great understanding of the blockchain.

After a thorough analysis of Trader Joe’s minting contract, we came across several transactions that drew our attention. One of the more troublesome discoveries we’ve made dates back to the end of last year.

The Exploit

The following is a technical explanation of the multiple exploit attacks on Trader Joe’s JoeMakerV2 contract. You can skip to “The Coverup” if you’re not interested in the fine details.

The red flag transactions started around November 30th of last year. The contract in question is the JoeMakerV2. You can find the contract here: https://snowtrace.io/address/0xC98C3C547DDbcc0029F38E0383C645C202aD663d#code.

The aforementioned contract was used to receive the Exchange’s 0.05% trading fee. Anyone could call “convert()” on the JoeMakerV2 contract and it would trade accumulated fees of a certain token pair for JOE. This JOE was sent as a reward to the xJOE contract.

Under normal circumstances, this process is automated by a bot or script in order to avoid slippage and maintenance. It seems like Trader Joe avoided this step which led to hundreds of thousands of dollars worth of rewards accumulating.

With the funds sitting in the open, the attackers got to work. The exploit itself is quite technical, so we’ll do our best to summarize it. It is a multi-transaction exploit.

Initially, the attacker created a liquidity token such as USDC.e/AVAX. They then bundled it into another Joe LP token of AVAX/lpToken(USDC.e/AVAX). The attacker trades a minute amount of AVAX in this pool and this causes the JoeMakerV2 contract to receive fees in the form of the attacker’s LP token.

The exploiters finally call the convert() function and make off with all the fees that have been accumulated for USDC.e/AVAX by leveraging Trader Joe LP against itself.

An example of the exploit can be found here: https://snowtrace.io/token/0xa389f9430876455c36478deea9769b7ca4e3ddb1?a=0x51841d9afe10fe55571bdb8f4af1060415003528

Multiple attackers consecutively and methodically drained all accumulated rewards from multiple different pools. The first instance of funds being stolen was on November 24, 2021. It wouldn’t be until December 2nd that the Trader Joe Team would notice the missing funds and fix the exploit by setting the feeReceiver address to a new contract.

During the course of the 8 days, several different wallets noticed the exploit. It became a feeding frenzy of whoever would execute it more often to receive the accrued rewards intended for xJOE stakers.

The Coverup

Ultimately, a handful of addresses managed to drain the contracts through several hundred transactions. Our rough estimate is that around $1Million dollars worth of platform fees were lost in the hack. These funds would have otherwise been provided as rewards to xJOE holders.

This is an unfortunate scenario but it’s certainly not unheard of within DeFi. What’s both unheard of and outrageous is Trader Joe withholding the information about the hack. This is a complete betrayal towards Joe’s Community.

How are we supposed to trust them? If they tried to sweep this under the rug, what else are they hiding from us? Why didn’t they acknowledge it?

We’ll continue to dig deeper. We’ve found that even with all their talk about transparency, the water in Trader Joe’s fishbowl remains murky at best.

About Boo Finance

Boo Finance is a DeFi/GameFi protocol pioneering DeFi 3.0 on the Avalanche Network. We are building innovative yield farming, GameFi, and NFT products. Check out Boo Finance and join our community on Discord, Telegram, and Twitter.

--

--

--

BooFinance is a decentralized collective of ghosts working to disrupt current yield farming practices and inflationary NFT models.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Microsoft Edge to get a free VPN powered by Cloudflare

Calculus Features — Orienting Participants With Useful Storage

About Pirate Chain and the Importance of Privacy

You don’t need read access to your passwords.

You are a Coder, not Liar, Thief or Vandal

Introduction to PassRid

{UPDATE} TopDecked MTG Hack Free Resources Generator

How to be safe online?

How to be safe online?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Boo Finance

Boo Finance

BooFinance is a decentralized collective of ghosts working to disrupt current yield farming practices and inflationary NFT models.

More from Medium

A Guide to Maximizer Treasury Redemptions

ApeSwap Joins Brave Wallet to Drive DeFi Adoption

Proposal 5: SNG Migration

Lodge Letter #46