$1.3 Million Stolen From New Free Dao in Flash Loan AttackValue of DeFi Protocol's Native Token Slumps More Than 99% After Attack
An attacker stole $1.25 million worth of cryptocurrency from newly established decentralized finance protocol New Free DAO in a flash loan attack on Thursday. The thief has cashed out nearly half of the stolen funds so far.
Flash loans are fast, uncollateralized cryptocurrency loans, where a user can borrow and repay funds within one transaction. A DAO is a decentralized autonomous organization that uses blockchain to facilitate self-enforcing rules or protocols to carry out transactions.
The Thursday attack resulted in a sharp drop in the platform's native token $NFD, whose value slumped more than 99% compared to a day ago. Its value had not recovered on Friday at the time of writing this story.
New Free DAO was established less than two weeks ago but had accumulated enough money to permit huge losses once exploited, says Ronghui Gu, CEO and co-founder of blockchain security company CertiK.
"This attack demonstrates that threat actors are actively searching for vulnerabilities in newly created tokens and even looking at unverified code on Etherscan - or it was an inside job," he tells Information Security Media Group.
The attacker exploited a vulnerability on an unverified rewards smart contract on the BSC blockchain to carry out the attack, CertiK says in a blog post detailing the incident. The attacker first deployed a malicious contract, made themselves a member of the contract and executed functions that resulted in the contract erroneously releasing funds that did not belong to the attacker.
"By the time the attacker was done, they had taken 343,323,371 NFD tokens, for a profit of 4,481 WBNB," CertiK says. The value of 4,481 wrapped BNBs is about $1.25 million at the time of writing this story.
Attacks like the one on New Free DAO "undermine trust and safety of the Web3 ecosystem and remind us of the persistent threat of flash loan attacks, says Gu. CertiK advises verifying smart contracts before they're deployed, as it is "extremely difficult" to find critical vulnerabilities in unverified ones. The next step, it says, is to audit the contract to identify code susceptible to exploits. "Projects need to do everything that they can, including smart contract audits and penetration testing of their systems to mitigate against these attacks,” Gu says.
The attacker currently holds $1.13 million worth of cryptocurrency in their wallet and moved $111,544 to sanctioned cryptocurrency mixer Tornado Cash.
"Due to the recent sanctions by OFAC on Tornado Cash, it is likely that we'll see the stolen funds make their way through the mixer at a slower pace," CertiK says, since large increases in unique transactions without an increase in unique address could help investigators ascertain what wallet redeems the funds on the other end. OFAC refers to the U.S. Department of Treasury Office of Foreign Assets Control (see: US Treasury Sanctions Tornado Cash, Freezes Its Assets).
The blockchain security company could not ascertain the attacker's identity but said that the individual was also behind another malicious flash loan exploit on $N3DR, which resulted in the loss of cryptocurrency worth $297,000 at the time.