Shezmu: Unrestricted Collateral Minting in CDP Vault
Shezmu's vault accepted collateral anyone could mint for free — an attacker borrowed $4.9M in ShezUSD, then thin liquidity and a 20% bounty deal brought most of it back.
Summary #
Shezmu suffered a CDP / Stablecoin on 2024-09-20, resulting in a loss of approximately $5M.
What happened #
Shezmu's vault accepted collateral anyone could mint for free — an attacker borrowed $4.9M in ShezUSD, then thin liquidity and a 20% bounty deal brought most of it back.
Linked factors #
- RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — contract upgrade 17 days before exploit (may be related)] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — contract upgrade 17 days before exploit (may be related)]
- RD-F-101 — illustrative : Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — contract upgrade 17 days prior is notable; may have introduced or failed to patch the flaw]
- RD-F-146 — related : New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — contract upgrade 17 days before exploit (may be related)]