On Sunday, January 15th, 2023, the Polygon-based lending protocol Midas Capital was exploited in a flash loan attack. The exploiter was able to borrow various assets against inflated collateral and swap them for ~660k MATIC ($660k). These funds were then sent through multiple addresses to centralized exchanges. Part of these funds remains in the hacker’s wallets as of January 31st, 2023.

The hacker exploited Midas Capital’s smart contracts using flash loans from Aave and Balancer. After the exploit funds were moved from the smart contract to the first layering address (red dots, left to right), the funds were divided into smaller batches. Part of the funds was moved to deposit addresses of centralized exchanges. The rest of the funds remain on the other addresses, most likely owned by the hacker.