Explained: The Swerve Finance Hack (March 2023)

The Swerve Finance hack is an example of a governance exploit. In this type of attack, a DeFi project has a decentralized governance mechanism in which users who have staked coins in the project have the ability to vote on different proposals. Vulnerabilities in these governance mechanisms can allow the attacker to submit and approve malicious proposals, exploiting the protocol.

Swerve Finance’s DAI-USDC-USDT pool contained $1.3 million in value. The exploiter created a proposal in which this locked value would be transferred to their address.

For this attack to succeed, the attacker needs to control a majority of the protocol’s Swerve governance tokens. Initially, the attacker launched the attack with 348,000 tokens and later gained the aid of another address with an additional 102,000 tokens.

Since these two addresses still lack the combined power necessary to pass the proposal, the attack is still ongoing. However, the party behind the attack has been identified and claims that the attack was a white hat effort to claim the $120K available in admin fees and that the potential vulnerability of the protocol’s $1.3 million was a happy accident.

The Swerve Finance project was abandoned some time ago, but the project still held significant value. The creators handed over control to the community, which left it potentially vulnerable to exploitation.

In this case, the attempted hack of Swerve Finance demonstrated how decentralized governance can successfully protect large sums. However, as pointed out by Igor Igamberdiev of Wintermute, this scheme could be better. Transferring ownership of the project to the null address — which is inaccessible to everyone — could provide better protection against malicious takeover attacks.

When designing decentralized governance protocols, it’s important to balance usability and security. For advice on implementing a decentralized governance protocol or a review of an existing one, reach out to our digital asset security experts.