New Free DAO (NFD) decentralised finance (DeFi) platform was exposed to a flash loan attack early on Thursday, resulting in an estimated loss of $1.25 million. Following the hack, the ecosystem’s native token fell by 99%, according to CertiK
, a smart contract review company.
Flash loans provide borrowers with the ability to take out large sums of assets without having to put up any upfront security. Criminals frequently utilise this to exploit DeFi protocols.
Several DeFi protocols provide flash loans, which let users borrow substantial amounts of assets without making prior collateral deposits, unlike regular loans. The sole requirement is that the loan must be paid back in one transaction within a predetermined time frame.
New Free Dao – $NFD was exploited via flash loan attack gaining the attacker 4481 WBNB (approx. ~$1.25M) causing the token to slip in price 99%.
The attacker has connections to Neorder – $N3DR attack from 4 months ago where they took 930 BNB at the time. pic.twitter.com/5Rcht3YiIK
— CertiK Alert (@CertiKAlert) September 8, 2022
However, the NFD attacker utilised the new attack contract to interact with the unverified contract and receive rewards by borrowing WBNB through a flash loan and exchanging it for New Free DAO (NFD) tokens.
“The attacker repeated the process with dozens of newly created contracts,” according to CertiK.
NFD suffered a series of attacks
The company said that the attacker used an unverified contract and added themself as a member by using the function addMember(). The attacker carried out three flash loan attacks with the aid of the attacking contract.
They suspect the perpetrator is related to the Neorder – $N3DR attack, which occurred four months ago and resulted in the loss of 930 BNB at the time.
Hackers are increasingly using flash loan attacks owing to their low risk, low cost, and big payoff attributes. The Solana ecosystem saw the collapse of an algorithm stablecoin in a flash loan hack in July.
Attackers stole $3.5 million from Nirvana Finance, driving down the value of its Defi-protocol token, ANA, and the NIRV stablecoin by 90%.
The attackers employed TornadoCash mixer
The detection company said that they are beginning to observe the deposition of the stolen funds into TornadoCash, a service that mixes other cryptocurrency funds with potentially traceable or compromised cryptocurrency funds to hide the source and destination of cryptocurrency assets.
The U.S. Treasury has recently blacklisted Tornado Cash in the U.S because they think it has enabled cryptocurrency money laundering on a scale of billions of dollars through its platform and has become the go-to option for hackers targeting decentralised platforms.
According to CertiK, 400 BNB (about $111K) has been sent into the mixer thus far.