Serial hacks: $1.25 million gone – A new DeFi project bites the dust

New day, new hack – The cryptocurrencies and more particularly the ecosystem Challenge are often under attack. In some cases, the amounts stolen can reach astronomical sums. This is what the New Free DAO protocol has just learned the hard way. on the BNB Chain. Indeed, this one was the target of a flash loan attack.
New Free DAO: $1.25 million stolen in a flash loan attack
Thursday, September 8 in the early morning, several companies specializing in audits and blockchain security noted the same attack. Thus, in turn, Certik, Peckshield and Beosin warned that a offensive was in progress on the protocol New Free DAO.
In practice, New Free DAO (NFD) is a token launched on the BNB Chain on August 26th. Little information is available on this subject, no site, no Twitter account, nothing. And yet, this one still managed to reach a liquidity of $1.8 million August 30 on DexGuru.
In total, the striker managed to to steal the equivalent of $1.25 million in cryptocurrencies.
>> Play it safe, register on FTX the reference of crypto exchanges (commercial link) <<
Course of the attack
Shortly after the incident, the audit and security company Certik published a reportryou back to the course of the attack.
To do this, the attacker first deployed a malicious contract. He then added himself to the list of contract members using the addMember() function.
Subsequently, he contracted a flash loan of 250 WBNB ($72,409) to initiate his attack. The WBNBs were then exchanged for 6.3 million NFD.
Once the NFDs were in his possession, he sent them to a unverified NFD contract. This shipment triggered a reward contract on the protocol.
Therefore, the protocol has mistakenly distributed 525,283 NFD tokens. The attacker then repeated the maneuver several times, for a total loot of 343 million NFD tokens.
Obviously, this one hastened to resell the tokens, generating a sharp drop in price.
Cause of attack
Unsurprisingly, this attack was possible because the contract code had a fault. Indeed, the calculation of the rewards takes into account the time as well as the amount of tokens held.
However, this code does not in any way protect against the use of flash loan, as explained in the Certik report:
” However, there are no safeguards preventing flash loan attacks, which means an attacker can increase their token balance significantly via a flash loan. »
Obviously, the attacker quickly funneled the stolen funds through the DeFi protocol Tornado Cash in order to cover their tracks.
A group of recidivist hackers on DeFi?
In its analysis, Certik also discovered another interesting fact. Indeed, after his attack, the attacker or the group of attackers moved the funds to another address.
However, this address had already been used to recover stolen funds as part of the attack on the protocol. NeorderDAO. Thus, last May the same attacker had been involved in the hack of the protocol.
More recently, on September 2, it was the turn ofShadowFi to be the victim of an attack, as underline PeckShield on Twitter. A total of $301,000 was stolen . One more time, of the NeorderDAO attacker related addresses came out.
“The attacker is tagged as the NeorderDAO hacker in our internal database. The stolen funds have already been transferred to TornadoCash. »
Thus, these three attacks have a common denominatorbringing the attacker’s or party’s total to $1.8 million.
The day before the attack of New Free DAO, it is the protocol Nereus Finance, which suffered from a flash loan attack on Avalanche. In total, the attacker stole the equivalent of$370,000.
Stay away from spammers and scammers. Avoid too-good-to-be-true offers like the plague and get into the habit of being healthy with suspicion. On the other hand, also learn to place reasonable trust in respectable and recognized players in the DeFi ecosystem. The FTX platform falls without a shadow of a doubt into this second category. Come acquire and trade your first bitcoins and other cryptocurrencies. Register on FTX. You will benefit from a lifetime discount on your transaction fees (commercial link).