Swerve Finance, a defunct Curve Finance clone, is still in the middle of a live governance exploit, viewable on-chain, to steal $1.3 million in stablecoins, and details may have emerged unmasking the alleged exploiter behind the attack.
To recap, someone has been trying to mount a governance attack on Swerve Finance. A governance attack is one in which the hacker takes control of enough voting power to execute proposals designed to steal tokens from a protocol. In Swerve Finance’s case, the attack has been continuing for more than a week.
It began when an address owned by an entity we’ll refer to as “Exploiter A” for the purpose of this article launched the governance attack. This address did so by creating two proposals to transfer ownership of Swerve’s remaining funds — worth $1.3 million — to the attacker’s contract. The exploiter launched this attack with 348,000 of Swerve’s governance tokens but was unsuccessful. This is because the attacker did not have enough tokens to meet the 51% token ownership to pass the proposal.
On-chain data shows exploiter A requesting assistance from another address, which we’ll call “Exploiter B.” This new entity soon began voting on the proposal with 102,000 Swerve governance token. The combined voting power between these two entities is still not enough to pass the malicious governance proposal.
Swerve Finance exploiter doxed?
Wintermute’s Head of Research Igor Igamberdiev believes he has unmasked the identity of the exploiter. Igamberdiev provided a trail of on-chain evidence, including transactions routed via the sanctioned crypto mixer Tornado Cash, that linked to a specific individual. The analysis links wallet addresses associated with this individual to Exploiters A and B responsible for the governance attack.
Igamberdiev stated that he is “100%” sure the individual is the exploiter, adding, “Timing is the usual heuristic to connect deposits and withdrawals.” For context, timing here refers to the numerous instances where deposits and withdrawals linked to the individual and the two exploiter addresses appear to be connected.
The alleged exploiter did not respond to The Block’s comments as of the time of reporting.
Igamberdiev stated that it was not too late for the exploiter to stop the attack. “Instead, it’s possible to help the community protect Swerve from future attacks, for example, by transferring ownership to the null address,” Igamberdiev tweeted.