New Free DAO, a decentralized finance (DeFi) protocol, faced a series of flash loan attacks on Thursday, resulting in a reported loss of $1.25 million. The price of the native token has dropped by 99% in the wake of the attack.
Unlike normal loans, several DeFi protocols offer flash loans that allow users to borrow large amounts of assets without upfront collateral deposits. The only condition is that the loan must be returned in a single transaction within a set time period. However, this feature is often exploited by malicious adversaries to gather large amounts of assets to launch costly exploitations targeting DeFi protocols.
Blockchain security firm CertiK alerted the crypto community on Thursday about the 99% price slippage of the NFD token due to a flash loan attack. The attacker reportedly deployed an unverified contract and called the function “addMember()” to add itself as a member. The attacker later executed three flash loan attacks with the assistance of the unverified contract.
The attacker first borrowed 250 Wrapped BNB (wBNB) worth $69,825 via flash loan and swapped all of them for the native token NFD. The contract was then used to create multiple attack contracts to claim airdrop rewards repeatedly. The attacker then swapped all the airdrop rewards for wBNB benefiting 4481 BNB.
Out of the 4481 BNB, the attacker returned the borrowed loan of 250 BNB and swapped 2,000 BNB for 550,000 BSC-USD, the Binance-Peg token of the blockchain. Later, the attacker moved 400 BNB to the popular coin mixer service Tornado Cash.
Hugh Brooks, Director of Security Operations, told Cointelegraph that the vulnerability lay in an unverified rewarding contract deployed by the New Free DAO project. However, "because the rewarding contract is unverified, we do not know the root cause."
CertiK also notified that the hacker behind the flash loan attack on NFD was related to those who exploited Neorder (N3DR) in May earlier this year. Later, another blockchain security firm Beosin told Cointelegraph that the attackers behind both the exploits could be the same. Certik confirmed the same and said:
"The stolen funds from the $N3DR attack were sent to EOA 0x22C9... which is the same wallet that received the stolen funds from this attack."
Related: Solana-based stablecoin NIRV drops 85% following $3.5M exploit
Beosin also highlighted another vulnerability with the NFD protocol that could be further used for another type of flash loan attack. The security firm said that the price could be manipulated since they are calculated “using the balance of USDT in the pair, so it may lead to flash loan attack if exploited.”
Flash loan attacks have been increasingly popular among hackers due to the low risk, low cost and high reward factors. On Wednesday, Avalanche-based lending protocol Nereus Finance became a victim of a crafty flash loan attack resulting in a loss of $371,000 in USD Coin (USDC). Earlier in June, Inverse Finance lost $1.2 million in another flash loan attack.