TronWeekly

Crypto World News

You are here: Home / Archives for flash loan

flash loan

Avalanche-Based DeFi Hit by Flash Loan Attack, Incurs $2M Loss

by

Platypus Finance, a decentralized finance [DeFi] protocol based on the Avalanche blockchain, reportedly faced a flash loan attack on October 12, resulting in an estimated loss of over $2 million. The attack, detected by leading blockchain security firm Peckshield, exposed vulnerabilities in the platform’s security. In a flash loan attack, hackers exploit uncollateralized lending to manipulate cryptocurrency prices, causing artificial inflation or deflation. This manipulation can lead to substantial losses for traders relying on manipulated prices for their transactions.

Avalanche
Avalanche-Based DeFi Hit by Flash Loan Attack, Incurs $2M Loss 2

While the attacker specifically targeted the AVAX-sAVAX liquidity pool, specific details of the attack are currently awaited. Platypus Finance responded promptly by suspending all pools and taking proactive measures to mitigate potential damage. The platform released a statement via social media, acknowledging the suspicious activities and assuring users of timely updates.

Due to suspicious activities in our protocol, we have taken the proactive measure of temporarily suspending all pools. Further updates will be communicated to the community in a timely manner. Thank you for your patience and understanding during this time.

This incident marks the second attack within a year for Platypus Finance. In a previous flash loan attack on February 16, the protocol suffered losses exceeding $9 million, causing its native token, the Platypus USD [USP] stablecoin, to deviate from its peg with the U.S. dollar. The attack, attributed to incorrect coding sequences, led to significant financial consequences. French authorities successfully apprehended two suspects related to the hack, with support from crypto investigator ZachXBT and cooperation from the Binance crypto exchange.

Avalanche-Based Platypus Finance Attack Highlights DeFi Security Challenges

Platypus Finance, a notable player in Avalanche’s DeFi landscape, operates as a stable swap platform, enabling the trading of stablecoins with minimal price slippage or impact. The platform’s Automated Market Maker [AMM] on Avalanche offers features like open liquidity single-sided AMM, which autonomously manages risk based on the coverage ratio, ensuring optimal capital efficiency.

The latest attack on Platypus Finance emphasizes the ongoing challenges faced by DeFi projects, urging the need for enhanced security measures within the crypto ecosystem. Users are hereby advised to exercise caution and remain informed for further updates on this developing story.

Cream Finance Hackers Swaps $1.75M ETH To BTC

by

Hackers of the infamous Cream Finance heist reportedly exchanged roughly 1000 ETH which is worth $1.75 million for 80 RenBTC, blockchain security expert PechShield noted. RenBTC is an ERC-20 token that allows a decentralized representation of Bitcoin within Ethereum.

Twitter users reacted angrily with many questioning the platform’s competencies and its inability to prevent such attacks.

How many times Cream Finance be exploited until we admit people working on the project are imcompetent at least shouldn’t be working on financial products?

image 35
Cream Finance Hackers Swaps $1.75M ETH To BTC 4

Flash loans have been known to be the most widely used by hackers to conduct exploits on decentralized finance [DeFi] systems. Such loans allow investors to borrow unsecured funds from lenders using smart contracts instead of third parties.

This year, another most outrageous flash loan attack was the Beanstalk heist. The stablecoin protocol was drained of $182 million. Next, in June, two more crypto platforms suffered similarly – Inverse Finance and Nirvana. But for Cream Finance, this wasn’t its first attack.

The Ethereum-based lending protocol was a target of multiple exploits but the most damaging of them was the $130 million attack in late 2021.

The incident caused a massive trust deficit for Cream Finance in the crypto circles which eventually made an impact on the token’s price leading to its near annihilation [ CREAM tokens plummeted by over 90%].

Cream Finance’s Third Hack

Prior to that, in Feb 2021, the DeFi protocol was attacked in a similar manner where bad actors stole $35 million. Cream Finance’s native token tanked by 30% in just one hour. 

Then in August, the platform suffered the second hack that resulted in the attacker looting more than 418 million in AMP, the Flexa Network’s native token, and approximately 1,300 Ethereum. 

Just recently, an Avalanche-based lending protocol Nereus Finance fell victim to a well-planned hack that saw hackers secure $371,000 worth of USD Coin [USDC] using a smart contract exploit.

After the incident, Nereus Finance released a detailed post-mortem of the incident explaining that the hacker was able to deploy a custom smart contract that utilized a $51 million flash loan from Aave to artificially inflate the Avalanche pool price for a single block.

The bad debt was reportedly paid off from the team’s treasury, as told by the Nereus in the report.

Binance Smart Chain believes hackers are specifically targeting it following back-to-back DeFi exploits.

by

Binance Smart Chain believes hackers are specifically targeting it following back-to-back DeFi exploits.

Several defi protocols built on top of Binance Smart Chain [BSC] decentralized finance ecosystem have suffered one after another hacks and exploits in a short period of time that has stemmed especially this past month. The platform believes that the recent flash loan hacks were orchestrated against BSC specifically.

The platform said on the 30th of May,

“There are >8 flashloan hacks recently, we believe, an well organized hackers are targeting Binance Smart Chain now. It is very challenging time for the BSC community.”

In a series of tweets, Binance Smart Chain also went on to urge the team behind the decentralized applications [DApps] to work with their audit companies to do another health check.

It also asked the cloned and forked defi projects, to “double and triple check” the changes from the original version and employ necessary risk control measures to actively identify any peculiar activities in a real-time manner and halt the protocol if any such strange activity indeed occurs.

Binance Smart Chain’s Rise to Fame

Since its inception last September, BSC saw tremendous success. The activity on Binance Chain’s parallel blockchain has dramatically soared as it continued to make headlines as one of the more viable rivals to the Ethereum network which was riddled with scalability issues.

However, as BSC rose to popularity, so are the bad actors that have breached various protocols and managed to siphon off with billions in crypto.

Binance had recently stated that it was not responsible for exploits on BSC protocols. Samy Karim, who happens to be the coordinator of business and ecosystem development at the cryptocurrency exchange, had earlier stated that Binance Smart Chain is a public permissionless infrastructure that enables anyone to deploy. He went on to add,

“You have malicious actors there and hacks, and exploits in defi are not new and definitely not unique to BSC.”

In another related news, BSC had added the blockchain analytics and cryptocurrency intelligence company, CipherTrace for the purpose of tracking illicit transactions.

Binance Smart Chain DeFi PancakeBunny Suffers Flash Loan Exploit

by

Another day, another flash loan attack on a defi protocol.

A Binance Smart Chain [BSC] decentralized finance [defi] yield optimizer project called PancakeBunny, has supposedly suffered an “economic exploit”. According to the PancakeBunny team’s official post on Twitter, the protocol was subjected to a flash loan attack from an external actor.

However, the platform clarified that none of the vaults on the platform were compromised.

“We would like to remind the community that no vaults have been compromised. The exploit was an economic exploit that attacked the price of BUNNY, using flash loans. We repeat, no vaults have been breached.”

The malicious entity reportedly borrowed “a huge amount” of Binance Coin [BNB] on DEX Pancakeswap and went on to manipulate the price of USDT/BNB as well as BUNNY/BNB. Subsequently, the hacker dumped all of the acquired BUNNY in the market which led to the crash in the token’s price.

PancakeBunny rebuffed reports that claimed that the attacker siphoned off with $1 billion worth of tokens but has not revealed the actual figures yet. According to calculations, the exploit drained over $200 million from the yield platform’s smart contracts. However, the blockchain security firm Certik said that the losses were around $40 million. Its tweet regarding the same read,

“An alert was published at Certik over an incident on PancakeBunny, which suffered from a FlashLoan attack and resulted in a loss of ~$40M (114K WBNB & 697K BUNNY). An illustration of exploited asset movements is presented & we are actively monitoring further TXs.”

Certick
Binance Smart Chain DeFi PancakeBunny Suffers Flash Loan Exploit 7

Further making the situation worse, the hacker left a rabbit-related pun as a note after the execution of the transaction that read “Aren’t Flashloans Earitating”

Notably, the BSC-based defi project is led by Mound, a startup that secured $1.6 million from the exchange’s venture capital and incubator arm, Binance Labs recently.

DeFi Token, BUNNY Free Falls

chart
Binance Smart Chain DeFi PancakeBunny Suffers Flash Loan Exploit 8

The native token, BUNNY was trading above $230 before the incident. However, it slashed its gains by more than 80% over the past 24-hours and was currently trading at $31.48, according to CoinGecko.

Binance Smart Chain’s DeFi Project Losses Over $30M In Flash Loan Exploit

by

A DeFi project Spartan Protocol’s contract suffered an exploit that led to loss of more than $30 million in funds. The incident reportedly originated due to a flawed liquidity share calculation in the protocol, that resulted in the drainage of assets from the pool.

In the post-mortem blog post, the security firm PeckShield detailed,

“In particular, the specific hack inflates the asset balance of the pool before burning the same amount of pool tokens to claim an unnecessarily large amount of underlying assets. The consequence of this attack results in more than $30M loss from the affected pool.”

The decentralized protocol [DeFi] was built on Binance Smart Chain for incentivized liquidity and synthetic assets. While first reporting the incident Spartan had revealed that the malicious entity used $61 million in Binance’s native token BNB to control the pools via an unknown economic exploit path to remove almost $3 million in funds from the pools.

According to the post-mortem report, the flash loan was taken on BSC’s popular DEX PancakeSwap for 100,000 wrapped BNB [wBNB]. This amount was to be paid back at the last step with 260 wBNB as the flash loan fee. However, the hacker allegedly swapped the wrapped BNB to Spartan’s native token – SPARTA five times via this exploited pool of the protocol. It swapped wBNB to SPARTAN an additional ten times through the same pool.

After inflating the asset balance in the pool, tokens were burnt to withdraw the liquidity. This process was repeated until the flash loan of 100,260 wBNB was returned and the hacker drained more than $30 million from the DeFi protocol.

DeFi Flash Loan Attacks One After Another

Rekt, which posted another assessment of the incident, also stated that Spartan’s latest exploit with $30 million funds drained is the sixth biggest incursion on its leaderboard.

This news comes jist days after the attackers of yet another Binance Smart Chain’s DeFi exchange Uranium Finance siphoned off with more than $57 million in exploit from a similar attack. In April 20th, layer two protocol EASYFI lost around $59 million.

Another DeFi Protocol Loses $7 Million In Flash Loan Exploit

by

Malicious actors are increasingly leveraging flash loans to fund attacks on decentralized finance [DeFi] protocols. Another one is biting the dust. This time, the Origin Protocol’s yield-generating stablecoin protocol, OUSD, was attacked and drained by nearly $7 million, of which $1 million was deposited by the company’s founders and employees.

After tracing the movement of the funds, the Founder of Origin Protocol Matthew Liu revealed that the attacker used both Tornado Cash and renBTC to wash and move funds. Additionally, there was still 7,137 ETH and 2.249 million DAI sitting in one of the attacker’s wallets.

Nature of the Attack

The exec explained,

“The attack was a reentrancy bug in our contract. Unfortunately, our contract was safe from reentrancy bugs unless one of our supported stablecoins was attacking us.”

Reentrancy attacks are known to be the most devastating attacks when developing smart contracts. They are devastating for two reasons: they can completely drain a smart contract of its funds, and they can sneak their way into the code if the developers are not careful.

In the case of OUSD, the entity reportedly exploited a missing validation check in mint multiple (when minting OUSD with multiple stablecoins) to pass in a fake “stablecoin” under their control. This “stablecoin” was then called “transferFrom” on by the vault. This essentially allowed the attacker to exploit the contract with a “reentrancy attack” in the middle of the mint.

As a response to the attack, Liu reminded the users not to buy OUSD on Uniswap or Sushiswap as the current prices do not reflect OUSD’s underlying assets.

Here’s what prominent DeFi influencer Autism Capital had to say about the entire fiasco:

 

Em8HlxjXMAABsvO scaled

Of late, flash loans have become one of the most popular as well as powerful new liquidity mechanisms that have recently emerged in the decentralized finance [DeFi] ecosystem.

Origin’s breach is the fifth major flash loan attack to hit the DeFi ecosystem in the past three weeks, after security breaches targeting platforms such as Harvest, Akropolis, Value, and CheeseBank. Additionally, it is the tenth DeFi platform to have been exploited in terms of year to date.