According to circulating reports, on Thursday, September 8 DeFi project New Free DAO fell victim to a series of flash loan attacks. The exploits may have seen the company suffer losses scaling $1.25 million causing the value of its native token to tank. Notably, the price of the NFD token has fallen by about 99% following the attack.
PeckShield Sounds the Alarm
News of the attack initially emerged via a report from blockchain security firm PeckShield Alert. The company sounded the alarm with a post on its official Twitter page. Their tweet contained details of the alleged exploit such as NFD etherscan data.
PeckShield noted that the attacker had made off with over 4500 BNB tokens, roughly $1.25 million from the DeFi project. Later on, the culprit exchanged about 2000 of the BNB tokens for BSC-USD.
#PeckShieldAlert #slippage PeckShield has detected that $NFD has dropped -99% probably falls victim to a flash loan-assisted attack,” the tweet read. “The exploiter grabbed ~4,500 $BNB (~$1.25M) and has swapped ~2,000 $BNB to ~550k.”
Details of the Attack
Security platform Certik later chimed in to explain how the attack had occurred. Flash loans are a feature on several DeFi platforms. They provide users with access to a large number of funds without the need for a collateral upfront deposit.
Flash loans do have one requirement which is that the loan must be repaid in one transaction within a set time. Unfortunately, bad actors often take advantage of the feature to exploit platforms and cart off huge amounts of assets.
Certik explained in their report that the perpetrator in the New Free DAO attack had deployed an unconfirmed contract. The attacker employed the addMember() function to add themselves as a member and subsequently carried out three flash loan attacks.
The perpetrator reportedly first took out a flash loan to borrow 250 WBNB tokens ( about 70,000 USD). Afterward, the malicious actor swapped the funds for the network’s native NFD tokens using the contract. Additionally, they created several attack contracts which they used to claim multiple airdrop rewards.
Certik reports that by doing this they were able to receive rewards for interacting with the unconfirmed contract. They then proceeded to create several new contracts and carry out the process over and over again. Following this, they exchanged the airdrop rewards for WBNB tokens making off with a total of 4481 BNB.
Flash Loan Attacks Increase in Frequency
Etherscan data reveals that the attacker repaid the flash loan and carried out the swap PeckShield spotted. Certik’s report noted that the culprit later moved about 400 BNB to controversial crypto mixer Tornado Cash. Interestingly, the US treasury department recently sanctioned the platform for its role in money laundering operations.
According to the Certik report, the New Free DAO attack has ties to an exploit on Neorder that took place in May this year. Another blockchain security firm weighed in on this saying the same perpetrator could be behind both attacks. Beosin also pointed out another one of NFD’s vulnerabilities which could be used in another variation of a flash loan attack.
We also find another vulnerability in the $NFD contract that may lead to price manipulation,” said the report.
In recent times the crypto industry has experienced a wave of flash loan attacks. Earlier this week, Avalanche-based protocol Nereus Finance suffered an exploit that saw it lose about $371k worth of USDC.