New Free DAO, a decentralized finance (DeFi) protocol, faced a series of flash loan attacks on Thursday, resulting in a reported loss of $1.25 million. The price of the native token has fallen by 99% after the attack.
Unlike regular loans, several DeFi protocols offer flash loans that allow users to borrow large amounts of assets without up-front collateral deposits. The only condition is that the loan must be repaid in a single transaction within a certain period of time. However, this feature is often exploited by malicious adversaries to gather large amounts of assets and launch costly attacks targeting DeFi protocols.
The blockchain security firm CertiK alerted the cryptocurrency community on Thursday about the NFD token price falling by 99% due to a flash lending attack. The attacker appears to have deployed an unverified contract and called the “addMember()” function to add himself as a member. Subsequently, he executed three flash loan attacks with the help of the unverified contract.
New Free Dao – $NFD was exploited via flash loan attack gaining the attacker 4481 WBNB (approx. ~$1.25M) causing the token to slip in price 99%.
The attacker has connections to Neorder – $N3DR attack from 4 months ago where they took 930 BNB at the time. pic.twitter.com/5Rcht3YiIK
— CertiK Alert (@CertiKAlert) September 8, 2022
New Free Dao – NFD was exploited via a flash lending attack earning the attacker 4481 WBNB (approx. ~USD 1.25M) causing the token to slide in price by 99%.
The attacker has connections to the Neorder – N3DR attack from 4 months ago where 930 BNB was taken at the time.
The attacker first borrowed 250 Wrapped BNB (wBNB) worth $69,825 through a flash loan and exchanged them all for the native NFD token. He then used the contract to create multiple attack contracts to claim the airdrop rewards repeatedly. The attacker then exchanged all the airdrop rewards for wBNB, profiting from 4,481 BNB.
Of the 4,481 BNB, the attacker repaid the 250 BNB loan and exchanged 2,000 BNB for 550,000 BSC-USD, the blockchain token. The attacker later moved 400 BNB to the popular cryptocurrency mixing service, Tornado Cash.
CertiK also reported that the hacker behind the NFD flash loan attack was related to the Neorder (N3DR) exploiters in May this year. Later, another blockchain security firm, Beosin, told Cointelegraph that the attackers behind both exploits could be the same.
Beosin also highlighted another vulnerability with the NFD protocol that could be used for another type of flash loan attack. The security firm said that the price could be manipulated as they are calculated “using the USDT balance in the pair, so it can lead to a flash lending attack if it gets exploited.”
3/ Although unrelated to this attack, we also find another vulnerability in the $NFD contract that may lead to price manipulation. pic.twitter.com/kKvx4hRdE4
— BeosinAlert (@BeosinAlert) September 8, 2022
Although not related to this attack, we also found another vulnerability in the NFD contract that can lead to price manipulation.
Flash loan attacks have been increasingly popular among hackers due to low risk, low cost, and high reward factors. On Wednesday, Avalanche-based lending protocol Nereus Finance fell victim to a sneaky flash lending attack that resulted in a loss of $371,000 worth of USD Coin (USDC). In early June, Inverse Finance lost $1.2 million in another flash loan attack.
Clarification: The information and/or opinions expressed in this article do not necessarily represent the views or editorial line of Cointelegraph. The information set forth herein should not be taken as financial advice or investment recommendation. All investment and commercial movement involve risks and it is the responsibility of each person to do their due research before making an investment decision.
Keep reading:
Investments in crypto assets are not regulated. They may not be suitable for retail investors and the full amount invested may be lost. The services or products offered are not aimed at or accessible to investors in Spain.