Keep3r Network exploited for over $200k

A recent attack on Keep3r Network resulted in the loss of 4084 KP3R, valued at $211k at the time. The attacker was able to gain control of a whitelisted Keep3r v1 job governance due to it being a vanity address. The attacker then added liquidity to the job, manipulated the Sushi LP pool, and called the applyCreditsToJob function, which calculates how many credits the job deserves for the amount of liquidity. By manipulating the calculation, the attacker managed to get 4084 KP3R credits instead of 537.89 KP3R credits. The attacker then drained the credits and kept them for themselves.

According to the timeline of events, the attacker added liquidity to the job on June 2nd and gained control of the governance on June 12th. The attack was possible due to several issues, such as the receipt function in Keep3r v1, which allows a job to pay KP3R credits directly, and the ease with which Keep3r v1 calculations of credits can be manipulated through flash loans. These issues do not exist in Keep3r v2.

The implications of the attack for the future of the technology industry are significant. As Keep3r v1 is now vulnerable to attacks, it is recommended that it be fully disabled by removing all approved liquidities and jobs. Additionally, Keep3r v1 should have been deprecated in favor of Keep3r v2. As cybersecurity risks continue to evolve, it is clear that the technology industry must prioritize security measures to protect against future attacks.

Check BTC Peers guide of the most promising crypto