DeFi protocol token NFD crashes by 99% after a flash loan attack

Published at: Sept. 8, 2022

New Free DAO, a decentralized finance (DeFi) protocol, faced a series of flash loan attacks on Sept. 8, resulting in a reported loss of $1.25 million. The price of the native token has dropped by 99% in the wake of the attack.

Unlike normal loans, several DeFi protocols offer flash loans that allow users to borrow large amounts of assets without upfront collateral deposits. The only condition is that the loan must be returned in a single transaction within a set time period. However, this feature is often exploited by malicious adversaries to gather large amounts of assets to launch costly exploitations targeting DeFi protocols.

Blockchain security firm Certik alerted the crypto community on Thursday about the 99% price slippage of the NFD token due to a flash loan attack. The attacker reportedly deployed an unverified contract and called the function “addMember()” to add itself as a member. The attacker later executed three flash loan attacks with the assistance of the unverified contract.

#CertiKSkynetAlert New Free Dao - $NFD was exploited via flash loan attack gaining the attacker 4481 WBNB (approx. ~$1.25M) causing the token to slip in price 99%.The attacker has connections to Neorder - $N3DR attack from 4 months ago where they took 930 BNB at the time. pic.twitter.com/5Rcht3YiIK

— CertiK Alert (@CertiKAlert) September 8, 2022

The attacker first borrowed 250 WBNB worth $69,825 via flash loan and swapped all of them for the native token NFD. The contract was then used to create multiple attack contracts to claim airdrop rewards repeatedly. The attacker then swapped all the airdrop rewards for WBNB benefiting 4481 BNB.

Out of the 4481 BNB, the attacker returned the borrowed loan (250 BNB) and swapped 2,000 BNB for 550,000 BSC-USD. Later, the attacker moved 400 BNB to the popular coin mixer service Tornado Cash.

Certik also notified that the hacker behind the flash loan attack on NFD was related to those who exploited Neorder (N3DR) in May earlier this year. Later, another blockchain security firm Beosin told Cointelegraph that the attackers behind both the exploits could be the same.

Related: Solana-based stablecoin NIRV drops 85% following $3.5M exploit

Beosin also highlighted another vulnerability with the NFD protocol that could be further used for another type of flash loan attack. The security firm said that the price could be manipulated since they are calculated “using the balance of USDT in the pair, so it may lead to flash loan attack if exploited.”

3/ Although unrelated to this attack, we also find another vulnerability in the $NFD contract that may lead to price manipulation. pic.twitter.com/kKvx4hRdE4

— Beosin Alert (@BeosinAlert) September 8, 2022

Flash loan attacks have been increasingly popular among hackers due to the low risk, low cost and high reward factors. On Sept. 7, Avalanche-based lending protocol Nereus Finance became a victim of a crafty flash loan attack resulting in a loss of $371,000 in USDC. Earlier in June, Inverse Finance lost $1.2 million in another flash loan attack.

Tags
Defi
Dao
Hacks
Hackers
Loans
Related Posts
Inverse Finance exploited again for $1.2M in flash loan oracle attack
Just two months after losing $15.6 million in a price oracle manipulation exploit, Inverse Finance has again been hit with a flash loan exploit that saw the attackers make off with $1.26 million in Tether (USDT) and Wrapped Bitcoin (wBTC). Inverse Finance is an Ethereum-based decentralized finance (DeFi) protocol and a flash loan is a type of crypto loan that is usually borrowed and returned within a single transaction. Oracles report outside pricing information. The latest exploit worked by using a flash loan to manipulate the price oracle for a liquidity provider (LP) token used by the protocol’s money market …
Defi / June 17, 2022
Battle-hardened Ronin bridge reopens following $600M hack: Finance Redefined
Welcome to Finance Redefined, your weekly dose of key decentralized finance (DeFi) insights, a newsletter crafted to bring you some of the major developments over the last week. This past week, the DeFi ecosystem saw Axie Infinity’s Ronin bridge relaunch with a fully backed 1:1 Ether (ETH) nearly three months after the infamous $600 million hacks. MakerDAO plans to invest $500 million into United States Treasurys and bonds to weather the ongoing bear market. Polkadot (DOT) announced that they would transform their governance model to move towards complete decentralization. While decentralized autonomous organizations (DAOs) are seen as the future of …
Adoption / July 1, 2022
Fei Protocol founder proposes ghosting Tribe DAO following hack repayment
An attack in April 2022, which drained off nearly $80 million from various Rari Fuse pools, required the decentralized finance (DeFi) platform Fei Protocol to come up with a solution that minimizes damage to the ecosystem. Fei Labs’ latest proposal, which partly recommends revoking participation from Tribe DAO, received mixed sentiments from the community. Fei Protocol founder Joey Santoro announced the latest proposal, TIP-121: Proposal for the future of the Tribe DAO, revealing the company’s intent to reimburse Fuze victims. It also details plans for asset redemption and the distribution of protocol-controlled value (PCV) assets that manage the liquidity and …
Altcoin / Aug. 20, 2022
Mango Market's DAO forum set to approve $47M settlement with hacker
Following a $117 million exploit on Oct. 11, the Mango Markets community is set to make a deal with its hacker, allowing the hacker to keep $47 million as a bug bounty, according to the decentralized finance (DeFI) protocol governance forum. The proposed terms reveal that $67 million of the stolen tokens will be returned, while $47 million will be kept by the hacker. 98% of the voters, or 291 million tokens, have voted in favor of the deal, which also stipulates that Mango Markets will not pursue criminal charges on the case. With the quorum reached, the voting is …
Defi / Oct. 14, 2022
Yield platform Stablegains sued for promoting UST: Finance Redefined
Welcome to Finance Redefined, your weekly dose of essential decentralized finance (DeFi) insights — a newsletter crafted to bring you significant developments over the last week. The backlash from the Terra implosion still haunts the crypto world, with the now-shuttered stablecoin yield platform Stablegains being sued for customer losses. The plaintiffs allege that the platform funnelled customer funds into Anchor Protocol without users’ knowledge or consent. Platypus, the DeFi protocol that was exploited for over $8 million, is working on a compensation plan to recover some of the funds. Florida’s Cogent Bank is proposing a $100 million participation in loans …
Regulation / Feb. 24, 2023