Following the exploit that struck its systems on March 27, Revest Finance commissioned Zellic and BlockSec to perform additional audits on the core Revest contracts. They have since begun their work as the Revest Team completed its security checklist.
Earlier this week, Zellic brought an unknown vulnerability to Revest’s that enabled a “grief” against our TokenVault, made possible through the way that TokenVault handles rebase tokens, to Revest’s attention. This threat is now neutralized. Prior to neutralization, this vulnerability allowed a malicious actor to temporary disable access to user funds, though in a way that would cause the malicious actor to permanently lose access to funds utilized for this purpose. User funds were never at risk of theft from this vector; nor would any such “grief” have permanently locked a user out of access to their funds.
Despite the relatively low threat-level posed by this vector, the Revest Team decided this threat was unacceptable. We have developed, tested, and deployed a patch to completely mitigate the threat posed by this vulnerability and are happy to announce that all upgrades have been completed smoothly.
As a consequence however, rebase token functionality is temporarily disabled. This only impacts core-vesting services, and does not impact outlying systems that rely on rebase tokens, such as Revest’s work with The Poktopus.
The Revest team is hard at work on testing and having approved by our auditors a solution that will both introduce the highest standard of security for any token storage system in DeFi and that will allow for rebase tokens to once again function natively. TokenVaultV2 will soon be a reality, and Revest is excited to share in the near future more details.