Flash loans allow users to borrow large amounts of assets without upfront collateral; miscreants use them to exploit DeFi protocols.
On September 8, a series of flash loan assaults targeted the decentralized finance (DeFi) protocol New Free DAO, causing a reported loss of $1.25 million. In the wake of the attack, the native token’s price has decreased by 99%.
Several DeFi protocols provide flash loans, which let users borrow substantial amounts of assets without making upfront collateral deposits, unlike regular loans. The only requirement is that the loan must be paid back in one transaction within a predetermined time frame. However, bad adversaries frequently take use of this capability to amass significant resources in order to carry out expensive attacks against DeFi protocols.
On Thursday, the cryptocurrency community was informed by blockchain security company Certik about the 99% price slippage of the NFD token brought on by a flash loan assault. According to reports, the attacker utilized the function “addMember()” to add themself as a member and then deployed an unconfirmed contract. The attacker later used the unconfirmed contract to carry out three flash loan attacks.
The attacker first took out a flash loan for 250 WBNB worth $69,825 before exchanging them all for the local token NFD. The contract was subsequently used to generate numerous attack contracts in order to continually claim airdrop prizes. The attacker then exchanged all of the airdrop prizes for WBNB, resulting in a profit of 4481 BNB.
The attacker exchanged 2,000 BNB for 550,000 BSC-USD and refunded the borrowed loan (250 BNB) out of the total amount of 4481 BNB. Later, the attacker transferred 400 BNB to Tornado Cash, a well-known coin mixer service.
The hacker that attacked NFD with flash loans was linked to those who hacked Neorder (N3DR) in May of this year, according to Certik. Later, Beosin, a different blockchain security company, said that the hackers responsible for both breaches might be the same.
Beosin also called attention to a flaw in the NFD protocol that might be exploited for yet another kind of flash loans attack. The security company claimed that because the prices are determined “using the balance of USDT in the pair, hence it may lead to flash loan attack if exploited,” they might be manipulated.
Hackers are increasingly using flash loan assaults because of their low risk, low cost, and big payoff characteristics. Nereus Finance, an Avalanche-based lending protocol, was attacked by a cunning flash loan on September 7 and lost $371,000 in USDC as a result. Inverse Finance suffered a loss of $1.2 million in a different flash loan attack earlier in June.