Polygon-Based Project Jarvis Loses $660K to a Security Exploit

Jarvis Network recently announced losing over half a million dollars to a security breach. The exploit cost the popular Polygon DeFi project 663,101 Matic tokens, or USD 660,000.

According to the latest tweets by Jarvis, the breach took place at the Midas pool. The jFIAT token was the target, as Midas recently integrated a collateral-type token, the stMATIC-wMATIC Curve liquidity provider token.

Currently, the token appears to be inflated for borrowing jCHF, agEUR, jGBP, and jEUR. The goal was to swap these tokens for MATIC over the Kyber Network. Jarvis attached the wallet address where the funds were transferred successfully. The platform also requested Ethereum and Polygon to flag the address. 

Jarvis collaborated with Midas back in June 2022 to launch its jFIAT pool. jFIAT acts as a fiat currency designed to be a stablecoin on an on-chain forex market. While Jarvis is native to Ethereum, its base layer operates on the Polygon mainnet. 

As for the exploit, the breachers used price manipulation and re-entrancy attacks. Re-entrancy attacks occur when bad actors exploit vulnerable smart contracts to transfer funds to a personal wallet.

Since Midas has recently added the new collateral, it was exploited by the bad actors. Ancilia, a cybersecurity firm, confirmed that the breacher conducted multiple transactions that affected jFIAT tokens over 10 times. In addition, the attacker minted more than 131,000 jFIAT tokens, while 270,000 Matic tokens were used as collateral.

Polygonscan claims that the wallet currently only contains 17 dollars, while Binance has also documented the stolen funds. Midas said on Twitter that Jarvis has temporarily halted borrowing on the platform.