Decoding $220K Read-only Reentrancy Exploit | QuillAudits


Protocols Involved:

  1. QuickSwap: QuickSwap is a permissionless decentralized exchange (DEX) based on Ethereum, powered by Matic Network’s Layer 2 scalability infrastructure, where multiple borrowing and lending parties come to lend and borrow.
  2. Market Protocol allows users to earn yield by supplying their cryptocurrencies as collateral to an isolated lending market or pool. was one of the Lending markets in QuickSwap. Market xyz was using Vulnerable Curve Oracle to monitor the lending/borrowing markets.
  3. QiDAO: QiDao is a stablecoin protocol utilizing collateralized debt positions allowing users to mint the stablecoin MAI pegged to the U.S. Dollar. The amount lost in the attack was seeded(funded) by QiDAO to market xyz and no user funds were lost.

Vulnerability Analysis & Impact:

The Attack:

Attack Flow:

  1. First, the attacker first took a flash loan to deposit a large amount of liquidity.

After the Exploit :

Status of Funds:


Web3 security- Need of the hour

Want more Such Security Blogs & Reports?

Partner with QuillAudits :



Smart Contract Auditing Experts , Making web3 a safer place .

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store