defirisk.co
rubric v1.7.0

Midas Capital: Read-only reentrancy on Curve LP token virtual price — inflated collateral valuation

Midas Capital lost $660K when an attacker exploited a known read-only reentrancy bug in Curve LP tokens to inflate collateral value and overborrow jFIAT assets — a vulnerability that had already struck market.xyz three months earlier.

Occurred 2023-01-15 Loss $660K Status closed

Summary #

Midas Capital suffered a Lending / Money Market on 2023-01-15, resulting in a loss of approximately $660K.

What happened #

Midas Capital lost $660K when an attacker exploited a known read-only reentrancy bug in Curve LP tokens to inflate collateral value and overborrow jFIAT assets — a vulnerability that had already struck market.xyz three months earlier.

Linked factors #

  • RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited new collateral integration; the read-only reentrancy risk was known from market.xyz (Oct 2022)]
  • RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — newly added collateral type (WMATIC-stMATIC Curve LP) enabled shortly before exploit] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — newly added collateral type (WMATIC-stMATIC Curve LP) enabled shortly before exploit]
  • RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
  • RD-F-050 — causal : Dependency graph [via cross-hack: Factor 6: Cross-Protocol / Composability Complexity]
  • RD-F-052 — related : Breakage analysis [via cross-hack: Factor 6: Cross-Protocol / Composability Complexity]
  • RD-F-077 — causal : Prior exploit count [via cross-hack: Factor 5: Second Exploit on Same Protocol]
  • RD-F-078 — causal : Chronic flag (≥3 prior exploits) [via cross-hack: Factor 5: Second Exploit on Same Protocol]
  • RD-F-079 — causal : Same-root-cause repeat exploit [via cross-hack: Factor 5: Second Exploit on Same Protocol]
  • RD-F-099 — illustrative : Oracle price deviation > X% from secondary source — RT signal would have fired [via realtime_signals/Oracle anomaly: Y — virtual_price() returned inflated value during reentrant window]
  • RD-F-126 — causal : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Yes — Compound V2 / Fuse fork architecture]
  • RD-F-127 — related : Upstream Compound has patches that may not be merged here [via dashboard_risk_factors/Forked?: Yes — Compound V2 / Fuse fork architecture]
  • RD-F-146 — related : New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — newly added collateral type (WMATIC-stMATIC Curve LP) enabled shortly before exploit]