The Tethys Finance Heist: Evidence of Exploitation and Governance Failures on Metis

Over the past two weeks I have been working on an investigation regarding the Tethys Finance exploit on the Metis network. This investigation was conducted in collaboration with an independent researcher who wants to remain anonymous, but still needs to be mentioned because most of the findings in this report are based on their work.

Below is a timeline of events and all the details regarding the theft and mismanagement of user funds.

Evidence of Theft

Over a period of a few weeks, I have observed numerous reports of Tethys users who claimed that they couldn't remove funds from the $TETHYS staking pool. This was reported back to the Metis team on Telegram and Discord almost daily to which they responded by "communicating the issue to the Tethys team".

November 11th

After the issues were communicated, the Tethys team came out with a statement regarding the release of Tethys V3 and every issue regarding missing funds was attributed to this supposed upgrade of the porotocol.

December 5th

Undeniable evidence of an ongoing theft happening on Tethys Finance was shared with me and I almost immediately shared this information on the Metis governance forum with blockchain transactions as proof.

Within a few hours of my report the Metis team issued a warning on their Twitter page and announced an ongoing investigation regarding this incident.

During that same period "Nick of Tethys", the person who announced V3, now posted a warning regarding malicious actors within the Tethys Finance protocol.

Official Tethys Twitter page announces a protocol shutdown on December 31st swiftly after that.

Almost immediately after all of this has unfolded, the deployer wallet (0xd3fea6e73096569262949e4ce52c257c731ef6bc) which was stealing user funds for months, started sending tokens back to the contracts. All of these movements were documented in the official Metis report regarding this incident.

Metis Team Report

Yesterday the Metis team published their own findings regarding this incident on the governance Forum, as a response to my original post.

Although the report covers the important parts of this exploit it fails to mention some very interesting details that I will be sharing below.

Connecting The Dots

Chat logs in the Metis developer channel on Telegram show that an individual going by the name "Starchild" is on the "core team" of Tethys.

After further investigation, we found a wallet address that most likely belongs to this individual:

0x141d48801abC47213D7f714b77618E698ADCbe44

This wallet was used to register the Tethysswap.eth ENS, which further backs our suspicion that this wallet belongs to Starchild, or at least to someone from the core Tehys team. Comparing the activity of this wallet to the deployer wallet gives even more proof that these two wallets are closely connected to each other becasue they sent multiple outgoing transactions to the same Binance deposit addresses:

0x3d698a5dC195cF0C655ED13E1B3a6b30E3514617
0x228F7aCcCd54eb79B1cac7DcE350bE14acd8c19C

Example transactions:

Deployer wallet sending 28K USDT to Binance deposit address:
https://polygonscan.com/tx/0x4b58a100c549022a27dafd957f5887b2bfdd58452a0dd485062b29e19602a12d

Tethysswap.eth sending 220K USDC to the same Binance deposit address:

https://bscscan.com/tx/0x82bbfa6167b28ee253b7fa8a9e3f46107fdf14d6812fd15e9e9af14777f199f0

The Rabbit Hole

It is irresistibly noticeable that all parties involved now want to present this case as a minor inconvenience and since most of the stolen funds have been returned it should be considered as a solved incident, but there are some irregularities that need to be mentioned and addressed.

  1. The Metis Report

In their report, the Metis team states the following:

That said, we hold ourselves to a high standard of community engagement and support. Throughout the challenges surrounding Tethys Finance, Metis went above and beyond to advocate for users, maintain transparency, and safeguard access to assets.

My issue with this statement is simple - not only did the Metis team not take all possible measures to "safeguard access to assets" but they have not even bothered to look into the contracts that were responsible for holding user funds. The official version of the story is that this incident started happening in June 2024 but in reality, this all spans back almost two years.

Tethys Finance is a fork of GMX, as can be seen from their contracts. Just a glimpse into the contract holding TLP tokens would show you that the deployer wallet has been altering the contract and stealing funds almost two years ago.

The first illegitimate movement of funds to the deployer wallet happened on July 6th 2023 when 80 WMETIS was withdrawn from the TLP contract.

https://explorer.metis.io/tx/0xb2d5ceffdeebead0116b411d15a5456999f85bfecf034a3cdd9a44c9777372fd

Since then this has continued to happen more frequently adding up to ~500 stolen WMETIS tokens and 30,000 TLP tokens which were stolen on August 5th 2024 and then returned on December 7th, after the incident became public.

  1. Denying Responsibility

Tethys Finance has been promoted on numerous occasions by Metis as a DEX partner, as can be seen in this Twitter post.

According to their own policy, all partner projects need to be fully doxxed to the Metis team, meaning they know exactly who was behind the Tethys exploit.

According to their moderators, Metis is now not required to share this information with victims because projects are now approved through community governance and all previous rules do not apply anymore.

Make of this what you will as I will refrain from drawing any conclusions.

  1. Interesting Coincidences

All of these events have obviously crashed the price of $TETHYS almost immediately but a very similar event happened to a seemingly unrelated token - $NETT.


Roughly 24 hours after the Tethys news broke out $NETT took a big hit dumping more than 50% over a span of few hours. After examining the larger wallets that caused the selloff, we have found a few connections leading back to the wallets responsible for the Tethys exploit.

Wallet 0x3F5bd6AE4B3cae29674aDd280E5c31B2B2819e4e has multiple interactions with Tethysswap.eth and they both share the same Binance deposit address.

Only 13 days ago (November 28th), Tehtysswap.eth sent more than $200K USDT to this wallet.

Now if we add the deployer wallet into the mix as well, it becomes very clear that these three wallets belong to the same entity.

There is no clear evidence that the Tethys exploiter is in any way connected to Netswap but it should serve as a warning to all $NETT holders to do their own research. This is just one piece of the puzzle that requires a thorough investigation before more concrete evidence can be found.

Recap and Conclusion

Exploited contracts:

Tethys Staking pool - https://andromeda-explorer.metis.io/address/0xA3c1694EfCd4389Ce652D521d2be28c912250a53

TLP vault - https://explorer.metis.io/address/0xD2032462fd8A45C4BE8F5b90DE25eE3631ec1c2C

Wallets involved:

Deployer wallet - 0xD3Fea6E73096569262949E4ce52c257c731Ef6Bc

Tethysswap.eth wallet - 0x141d48801abC47213D7f714b77618E698ADCbe44

$NETT "Whale" wallet - 0x3F5bd6AE4B3cae29674aDd280E5c31B2B2819e4e

Total amount stolen: ~$1M (this number is an estimate and requires further investigation)

Negligence by Metis: Metis’s failure to act promptly or enforce stricter partner vetting policies enabled bad actors to misuse the platform over a prolonged period. This is something that needs to be addressed immediately to prevent similar events from happening again.

Tethys did share their Github repositories publicly on their front page but they were set to private on Github. This fact alone should have been a big enough red flag for the Metis team to look into the contracts as a safety measure.

Future Exploits Are Likely: Given the sloppy handling of the Tethys incident, other protocols in the Metis ecosystem could face similar vulnerabilities if governance and oversight do not improve. If you are invested in any Metis-related projects I would strongly advise doing your own research as thoroughly as possible.

At the time of writing, the deployer wallet continues to alter contracts on the Tethys protocol while the Metis team continues to encourage users to withdraw funds from those same contracts with no intention of double-checking the changes made to them (as far as I know). Everyone interacting with these contracts is now at risk of losing even more funds and as it seems, if that does happen, no one will be responsible.

What was shared in this report today is just the tip of a very large iceberg and I am sure that a more detailed investigation would bring forward some shocking revelations that would put into question the integrity of Metis network as a whole. This is my personal opinion and with it I will end this investigation with no plans of continuing.

Over the past two weeks I have seen enough dirty laundry on this network that convinced me to no longer support or promote Metis in any shape or form.

To anyone who is affected by this theft - feel free to use this report as evidence in your legal battles against the threat actors responsible. This is VERY sloppy work and if an official investigation is conducted it will be very easy to identify those responsible since they interacted with multiple exchanges and entities that require KYC verification.

Posted Using InLeo Alpha

Sort:  

To much to read if you are not involved in it... But thanks for that.