Illuvium Team Drains sILV Uniswap Pool in Bid to Prevent Exploit Cash-Out

After discovering a flaw in its staking platform, multibillion-dollar blockchain gaming giant Illuvium has drained all the funds from a Uniswap pool in an effort to prevent an attacker from cashing out.

The drastic move is a perhaps novel step taken by a project to mitigate the damage caused by the latest in a string of hacks, exploits and attacks that have long been rampant in decentralized finance (DeFi), and now appear to be bleeding into the “GameFi” movement.

In a tweet yesterday, the team initially said that while they had discovered a vulnerability, “no funds have been compromised” and that minting contracts had been temporarily paused.

However, a record of transactions dating back to November shows a series of addresses with custom contracts consistently depositing a sum of ILV, Illuvium’s governance token, and then withdrawing a greater sum of escrowed ILV, or sILV, rewards than would have been normally allowed by the staking program, before rolling the proceeds to a new address.

Starting at 2 p.m. ET on Tuesday, the sILV/ETH Uniswap V3 pool was drained of all funds in a series of large transactions, temporarily pushing the trading price of sILV to 0.

In a message in the project’s official Discord server, co-founder Aaron Warwick wrote, “In order to stop a security flaw from being executed, we have had to take the step of rescuing the sILV pool.”

Read more: SAND, MANA Tokens Surged in November as Crypto Traders Bet on ‘Metaverse’ Potential

Warwick added on Discord that the team has “a backstop multisig that is able to mint in extreme circumstances.” The team used this multi-signature wallet, an address with specific in-protocol permissions that needs a majority of a group of signers to execute transactions, to mint tokens and sell them for ETH, rendering sILV worthless, as there is no ETH to swap the sILV for.

It’s currently unclear how much sILV the attacker was able to cash out as ETH before the team managed to drain the pool entirely.

“We were aware that the hacker was ready to sell all their sILV, and the amount they had would have completely drained the pool,” said Warwick in an interview with CoinDesk. “We attempted to beat them to it, and they got some and we got some.”

The team is already referring to compensation plans, writing on Discord, “As soon as we can get a snapshot of the true owners of sILV we will reimburse everyone.” Warwick declined to comment further on those plans.

Warwick also advised that users should not buy into any liquidity that is added to the Uniswap pool. ILV is down .8% on the day to $1,004.33.

UPDATE (Jan. 5, 15:21 UTC): Corrects attack vector description and reference to escrowed ILV.