TronWeekly

Crypto World News

You are here: Home / Archives for flash loan

flash loan

Binance Smart Chain’s DeFi Project Losses Over $30M In Flash Loan Exploit

by

A DeFi project Spartan Protocol’s contract suffered an exploit that led to loss of more than $30 million in funds. The incident reportedly originated due to a flawed liquidity share calculation in the protocol, that resulted in the drainage of assets from the pool.

In the post-mortem blog post, the security firm PeckShield detailed,

“In particular, the specific hack inflates the asset balance of the pool before burning the same amount of pool tokens to claim an unnecessarily large amount of underlying assets. The consequence of this attack results in more than $30M loss from the affected pool.”

The decentralized protocol [DeFi] was built on Binance Smart Chain for incentivized liquidity and synthetic assets. While first reporting the incident Spartan had revealed that the malicious entity used $61 million in Binance’s native token BNB to control the pools via an unknown economic exploit path to remove almost $3 million in funds from the pools.

According to the post-mortem report, the flash loan was taken on BSC’s popular DEX PancakeSwap for 100,000 wrapped BNB [wBNB]. This amount was to be paid back at the last step with 260 wBNB as the flash loan fee. However, the hacker allegedly swapped the wrapped BNB to Spartan’s native token – SPARTA five times via this exploited pool of the protocol. It swapped wBNB to SPARTAN an additional ten times through the same pool.

After inflating the asset balance in the pool, tokens were burnt to withdraw the liquidity. This process was repeated until the flash loan of 100,260 wBNB was returned and the hacker drained more than $30 million from the DeFi protocol.

DeFi Flash Loan Attacks One After Another

Rekt, which posted another assessment of the incident, also stated that Spartan’s latest exploit with $30 million funds drained is the sixth biggest incursion on its leaderboard.

This news comes jist days after the attackers of yet another Binance Smart Chain’s DeFi exchange Uranium Finance siphoned off with more than $57 million in exploit from a similar attack. In April 20th, layer two protocol EASYFI lost around $59 million.

Another DeFi Protocol Loses $7 Million In Flash Loan Exploit

by

Malicious actors are increasingly leveraging flash loans to fund attacks on decentralized finance [DeFi] protocols. Another one is biting the dust. This time, the Origin Protocol’s yield-generating stablecoin protocol, OUSD, was attacked and drained by nearly $7 million, of which $1 million was deposited by the company’s founders and employees.

After tracing the movement of the funds, the Founder of Origin Protocol Matthew Liu revealed that the attacker used both Tornado Cash and renBTC to wash and move funds. Additionally, there was still 7,137 ETH and 2.249 million DAI sitting in one of the attacker’s wallets.

Nature of the Attack

The exec explained,

“The attack was a reentrancy bug in our contract. Unfortunately, our contract was safe from reentrancy bugs unless one of our supported stablecoins was attacking us.”

Reentrancy attacks are known to be the most devastating attacks when developing smart contracts. They are devastating for two reasons: they can completely drain a smart contract of its funds, and they can sneak their way into the code if the developers are not careful.

In the case of OUSD, the entity reportedly exploited a missing validation check in mint multiple (when minting OUSD with multiple stablecoins) to pass in a fake “stablecoin” under their control. This “stablecoin” was then called “transferFrom” on by the vault. This essentially allowed the attacker to exploit the contract with a “reentrancy attack” in the middle of the mint.

As a response to the attack, Liu reminded the users not to buy OUSD on Uniswap or Sushiswap as the current prices do not reflect OUSD’s underlying assets.

Here’s what prominent DeFi influencer Autism Capital had to say about the entire fiasco:

 

Em8HlxjXMAABsvO scaled

Of late, flash loans have become one of the most popular as well as powerful new liquidity mechanisms that have recently emerged in the decentralized finance [DeFi] ecosystem.

Origin’s breach is the fifth major flash loan attack to hit the DeFi ecosystem in the past three weeks, after security breaches targeting platforms such as Harvest, Akropolis, Value, and CheeseBank. Additionally, it is the tenth DeFi platform to have been exploited in terms of year to date.