Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 110Smart Contract Bug

Team Finance Migration Drain

Team Finance lost $15.8M in a Uniswap v2-to-v3 migration: locked tokens moved to a skewed v3 pair and refunded as 'leftover' for $2,700 in gas. $7M returned.

Date
Victim
Team Finance
Chain(s)
Ethereum
Status
Partially Recovered

On October 27, 2022, the Team Finance liquidity-locking protocol — used by hundreds of small-cap token projects to demonstrate "locked liquidity" credibility — was exploited for $15.8 million during a Uniswap v2 → v3 migration. The attacker spent $2,700 in gas to execute the drain. $7 million was returned after on-chain negotiation.

What happened

Team Finance's product was a liquidity-locker: token projects locked their Uniswap liquidity provider (LP) tokens in Team Finance contracts as a public commitment that the underlying liquidity wouldn't be rugged. The protocol offered a migration helper that let projects move their locked liquidity from Uniswap v2 to v3 atomically.

The migration helper had a flaw in its price-validation logic. When migrating LP tokens from v2 to v3, the helper:

  1. Withdrew the v2 LP tokens from the locked Team Finance contract.
  2. Re-pooled the underlying assets into a v3 pair, with the price range and ratio specified by the caller.
  3. Refunded any "leftover" assets that didn't fit into the target v3 position back to the caller.

The fatal omission: the helper did not validate the caller's specified price range against any safety-of-funds invariant. An attacker calling the migration could:

  1. Specify a v3 price range so skewed that almost none of the underlying assets actually got deposited into the v3 pool.
  2. Receive the bulk of the locked liquidity as "leftover refund" from the protocol.
  3. Walk with the difference between the pre-migration locked value and the post-migration v3 position.

The attacker targeted four locked token pairs — CAW ($11.5M), Dejitaru Tsuka ($1.7M), Kondux ($0.7M), Feg ($1.9M) — totalling ~$15.8M, with total gas spent of approximately $2,700.

Aftermath

  • Team Finance paused migrations immediately and published a post-mortem.
  • The attacker identified themselves as a "whitehat" in transaction memos and returned approximately $7M of the stolen funds.
  • The remaining ~$9M was kept; some was eventually laundered through Tornado Cash.
  • Team Finance redesigned the migration helper with proper price-range validation.

Why it matters

Team Finance is one of the cleaner cases for how "audited" is not equivalent to "secure" — the migration contract had been audited, but the audit did not include the specific economic-invariant check that would have caught this bug. The class of vulnerability (missing validation on caller-supplied price ranges) is structurally identical to several other DeFi exploits where migration or admin paths skip the validation that the normal user flows enforce.

The deeper lesson, particularly relevant to liquidity-locker products: the trust assumption is "the locked liquidity cannot be moved by the project until unlock". Any code path that lets the project move locked liquidity without unlocking it — including for migrations, upgrades, or "leftover refunds" — is a back door to the trust model the entire product exists to enforce.

The $2,700 gas cost to drain $15.8M is itself a striking statistic — a reminder that smart-contract exploits are usually labour costs, not capital costs. Once the vulnerability is identified, exploiting it is essentially free.

Sources & on-chain evidence

  1. [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-team-finance-hack-october-2022
  2. [02]theblock.cohttps://www.theblock.co/post/180369/hacker-uses-2700-to-drain-15-8-million-from-team-finance
  3. [03]unchainedcrypto.comhttps://unchainedcrypto.com/team-finance-loses-15-8m-in-protocol-exploit/

Related filings