Flash loans: the new tool for DeFi protocol attackers
Flash loans allow users to borrow a high amount of assets without having to provide any upfront collateral. This type of loan is often used by miscreants to launch attacks on DeFi protocols.
It is disappointing to see another DeFi protocol fall victim to flash loan attacks. This latest incident highlights the need for greater security measures to protect users' funds. We hope that New Free DAO will be able to quickly recover from this loss and that its team will learn from this experience to help make future protocols more secure.
The DeFi protocols that offer flash loans are a great innovation. However, they are often exploited by malicious adversaries who use them to gather large amounts of assets to launch costly exploitations against DeFi protocols. This is a serious problem that needs to be addressed.
The crypto community was alerted on Thursday by blockchain security firm Certik about the 99% price slippage of the NFD token due to a flash loan attack. The attacker reportedly deployed an unverified contract and called the function “addMember()” to add itself as a member. The attacker later executed three flash loan attacks with the assistance of the unverified contract. This is a serious security breach that highlights the need for better security measures for crypto exchanges and flash loan providers. The community will no doubt be closely watching to see how this situation develops.
#CertiKSkynetAlert— CertiK Alert (@CertiKAlert) September 8, 2022
New Free Dao - $NFD was exploited via flash loan attack gaining the attacker 4481 WBNB (approx. ~$1.25M) causing the token to slip in price 99%.
The attacker has connections to Neorder - $N3DR attack from 4 months ago where they took 930 BNB at the time. pic.twitter.com/5Rcht3YiIK
$69,825 worth of WBNB was first borrowed via flash loan and swapped for NFD. The attacker then used the contract to create multiple attack contracts to claim airdrop rewards repeatedly. All the airdrop rewards were then swapped for WBNB, benefiting 4481 BNB.
The attacker appears to have returned the borrowed loan of 250 BNB and swapped 2,000 BNB for 550,000 BSC-USD. Later, the attacker moved 400 BNB to the popular coin mixer service Tornado Cash. This attack highlights the need for better security measures to protect users' assets on decentralized exchanges.
It's becoming increasingly clear that the hackers behind the recent flash loan attack on NFD are the same ones who exploited Neorder (N3DR) back in May. This is a worrying trend, and it's important that we all remain vigilant in order to protect our crypto assets.
It's alarming that Beosin has discovered another potential vulnerability with the NFD protocol that could be exploited for flash loan attacks. This time, the security firm says that prices could be manipulated since they are calculated using the balance of USDT in the pair. If this exploit is used, it could have devastating consequences for the crypto markets.
3/ Although unrelated to this attack, we also find another vulnerability in the $NFD contract that may lead to price manipulation. pic.twitter.com/kKvx4hRdE4— Beosin Alert (@BeosinAlert) September 8, 2022
Flash loan attacks have become increasingly popular among hackers due to the low risk, low cost and high reward factors. On Sept. 7, Avalanche-based lending protocol Nereus Finance became a victim of a crafty flash loan attack resulting in a loss of $371,000 in USDC. Earlier in June, Inverse Finance lost $1.2 million in another flash loan attack. While the rewards of a successful flash loan attack can be high, the risks are also increasing as more and more hackers target these protocols. As such, it is important for users of these protocols to be aware of the risks and take steps to protect themselves.