Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 072Reentrancy

Visor Finance Staking Reentrancy

Visor Finance's staking contract lost $8.2M to a reentrancy in the delegateTransferERC20 path. VISR fell 95% same-day; Visor migrated to a new token.

Date
Victim
Visor Finance
Chain(s)
Ethereum
Status
Partially Recovered

On December 21, 2021 at 14:29 UTC, the active liquidity-management protocol Visor Finance lost approximately $8.2 million when an attacker exploited a reentrancy in the protocol's staking contract. 8,812,958 VISR tokens were stolen; the token's market price fell from roughly $0.93 to $0.04 — a 95% decline — as the dilution and protocol-failure narrative settled.

What happened

Visor's staking contract let users deposit and withdraw VISR via an external interface — IVisor.delegateTransferERC20() — that the staking contract called to move tokens on the user's behalf.

The function's intended behaviour: the staking contract calls delegateTransferERC20(), which calls back to the user-supplied implementation, which transfers tokens. The flaw was structural: the user-supplied implementation could re-enter the staking contract before the original call's accounting had been updated.

The attack:

  1. The attacker deployed a contract implementing a malicious delegateTransferERC20() that, when called by Visor's staking contract, re-entered the staking contract's withdrawal function.
  2. The reentrancy let the attacker withdraw VISR multiple times against the same staked balance — each re-entry reading the un-decremented balance and approving another withdrawal.
  3. Drained 8.8M VISR in a single transaction loop.

Aftermath

  • Visor paused operations and announced a token migration to a new VISR contract — old VISR was effectively voided and new tokens were issued to legitimate holders at the pre-incident snapshot.
  • The team emphasised that positions and active hypervisors were unaffected — the loss was contained to the staking contract.
  • VISR token (and later, the rebranded Gamma Strategies evolution of the protocol) recovered partially over the following year.

Why it matters

Visor is one of a sequence of late-2021 reentrancy incidents (Cream Finance AMP in August, Visor in December, Fei/Rari in April 2022) that re-established a lesson the industry had supposedly learned five years earlier with The DAO: never trust a callback from an external contract during state mutation. The structural cause — staking contracts calling user-supplied callback implementations without proper reentrancy guards — recurs every time a protocol design favours composability flexibility over strict checks-effects-interactions discipline.

The token-migration response is also instructive: issuing a new token and voiding the old one is a powerful, controversial remediation that works only when the protocol controls a meaningful percentage of liquidity and has community legitimacy to coordinate the swap. Smaller protocols cannot pull it off; larger ones rarely need to.

Sources & on-chain evidence

  1. [01]cryptobriefing.comhttps://cryptobriefing.com/8-2m-lost-visor-finance-suffers-latest-defi-hack/
  2. [02]finance.yahoo.comhttps://finance.yahoo.com/news/visor-finance-suffers-another-defi-094645929.html
  3. [03]ihodl.comhttps://ihodl.com/topnews/2021-12-21/visor-finance-hacked-loses-over-8m-tokens/

Related filings