Author

Topic: DeFi Flash Loan Attacks (Read 109 times)

legendary
Activity: 2114
Merit: 1150
https://bitcoincleanup.com/
June 01, 2021, 09:53:22 AM
#9
~
Seems markets are going down more. More defi attacks?
DeFi might be the trend today today but attacks/exploits on DeFi projects aren't that big to cause panic selling of other coins and tokens compared to bitcoin ban by Governments/Banks and other crypto FUDs.

If you look at the chart, there were indications that BTC could drop again over the weekend. That actually happened and so the usual drop in the market.

Really? From the news I am seeing, each defi rug pull is pulling out tens of millions of dollars worth of ETH and tokens, and yes that is nothing compared to 100 million ICO exit scams but nowadays defi projects only raise around 10 million in their IDOs,,, so I would say collectively it is still a lot of money. BTC dropping does not help the sentiment too!
Like I said, rug pulls and flash loan attacks on 1 or 10 platforms are not big enough to crash the market as that was you were asking. Each time an attack happens, the market always move on. They absorb any dumping of eth or bnb by hackers. Also, don't think that DeFi players have all/most of their money on farming/staking pools.
hero member
Activity: 2352
Merit: 953
Temporary forum vacation
May 30, 2021, 11:34:57 AM
#8
~
Seems markets are going down more. More defi attacks?
DeFi might be the trend today today but attacks/exploits on DeFi projects aren't that big to cause panic selling of other coins and tokens compared to bitcoin ban by Governments/Banks and other crypto FUDs.

If you look at the chart, there were indications that BTC could drop again over the weekend. That actually happened and so the usual drop in the market.

Really? From the news I am seeing, each defi rug pull is pulling out tens of millions of dollars worth of ETH and tokens, and yes that is nothing compared to 100 million ICO exit scams but nowadays defi projects only raise around 10 million in their IDOs,,, so I would say collectively it is still a lot of money. BTC dropping does not help the sentiment too!
legendary
Activity: 2114
Merit: 1150
https://bitcoincleanup.com/
May 30, 2021, 01:27:31 AM
#7
~
Seems markets are going down more. More defi attacks?
DeFi might be the trend today today but attacks/exploits on DeFi projects aren't that big to cause panic selling of other coins and tokens compared to bitcoin ban by Governments/Banks and other crypto FUDs.

If you look at the chart, there were indications that BTC could drop again over the weekend. That actually happened and so the usual drop in the market.
hero member
Activity: 2352
Merit: 953
Temporary forum vacation
May 29, 2021, 01:41:09 PM
#6
Not something like new into this market where exploits and hacks news do really pop out from nowhere and these hacks are quite common and its not new that there would be always lurking out into the shadows
trying out to exploit these platforms specially these places deal up with millions of usd.

I have read up yesterday or a couple of days wayback about some anonymous chat or text that China does have plans on having these attacks.I didnt really believe on it
but it seems those words are true when i do read up this news.

So that guy did really pass off some legit insider hints and news.

Yes,,, not new and not ever going to go out of fashion. These are still very new technologies. If with old tech,,, you can still see hackers still can find loopholes and exploits, what more for new technology in smart contracts where there are still very few people knowledgeable in the area right?

Seems markets are going down more. More defi attacks?
legendary
Activity: 2114
Merit: 1150
https://bitcoincleanup.com/
May 29, 2021, 02:59:46 AM
#5
~
I have read up yesterday or a couple of days wayback about some anonymous chat or text that China does have plans on having these attacks.I didnt really believe on it but it seems those words are true when i do read up this news.

So that guy did really pass off some legit insider hints and news.
Where did you read that? 4chan?



I was reading a conversation with a developer of another platform with some members of what possibly happened with burgerswap and it was mentioned that the devs removed a code (related to compounding) that could have prevented exploits like flash loan. It could be intentional because there's no valid reason why they would do that.
hero member
Activity: 2996
Merit: 609
May 28, 2021, 01:21:35 PM
#4
Thank you for all these shares OP and I think more people need to be aware. It is so crazy that so many defi investors come for the first time and immediately jump to a tutorial from youtube and pour their money into it looking for 100% APY.

There is no fear of scams until they themselves become victime,,, very sad but perhaps threads like yours need more attention.
Not something like new into this market where exploits and hacks news do really pop out from nowhere and these hacks are quite common and its not new that there would be always lurking out into the shadows
trying out to exploit these platforms specially these places deal up with millions of usd.

I have read up yesterday or a couple of days wayback about some anonymous chat or text that China does have plans on having these attacks.I didnt really believe on it
but it seems those words are true when i do read up this news.

So that guy did really pass off some legit insider hints and news.
This do already happen last year.
https://www.coindesk.com/everything-you-ever-wanted-to-know-about-the-defi-flash-loan-attack
"when an unknown attacker drained about $350,000 worth of ether (ETH) from Fulcrum, the startup’s lending platform. "
This was on DefiPulse
hero member
Activity: 3010
Merit: 794
May 28, 2021, 11:48:55 AM
#3
Thank you for all these shares OP and I think more people need to be aware. It is so crazy that so many defi investors come for the first time and immediately jump to a tutorial from youtube and pour their money into it looking for 100% APY.

There is no fear of scams until they themselves become victime,,, very sad but perhaps threads like yours need more attention.
Not something like new into this market where exploits and hacks news do really pop out from nowhere and these hacks are quite common and its not new that there would be always lurking out into the shadows
trying out to exploit these platforms specially these places deal up with millions of usd.

I have read up yesterday or a couple of days wayback about some anonymous chat or text that China does have plans on having these attacks.I didnt really believe on it
but it seems those words are true when i do read up this news.

So that guy did really pass off some legit insider hints and news.
hero member
Activity: 2352
Merit: 953
Temporary forum vacation
May 28, 2021, 11:08:59 AM
#2
Thank you for all these shares OP and I think more people need to be aware. It is so crazy that so many defi investors come for the first time and immediately jump to a tutorial from youtube and pour their money into it looking for 100% APY.

There is no fear of scams until they themselves become victime,,, very sad but perhaps threads like yours need more attention.
legendary
Activity: 2114
Merit: 1150
https://bitcoincleanup.com/
May 28, 2021, 01:44:38 AM
#1
Active DeFi stakers probably read the stories already or have been caught in the middle. For the curious and unaware, PancakeBunnyFinance, AutoShark, Merlin Labs, and lately BurgerSwap have all been victims of flash loan attacks. It is also important to note that the codes of these platforms have passed some audit tests but were still exploited.

How the attacks hapened (in summary):

1. PancakeBunny - Lost ~$45 Million

1. The exploiter staged (and exited) the attack using PancakeSwap (PCS)

2. By exploiting a difference in PCS pricing, the hacker intentionally manipulated the price of USDT/BNB and Bunny/BNB, acquiring a huge amount of Bunny through the use of Flash Loans.

3. The exploiter dumped all the Bunny in the market (Ethereum), causing the price of Bunny to plummet

4. The exploiter then exited the attack by paying back the remaining BNB (by having exploited the price difference from before) on PCS.

The team has updated their code since as they should and you can read it here.

2. AutoShark - ~$745K

The story for this one is a bit funny. In an attempt to promote their platform, they suggested that the $100K DAI, that was donated by the PancakeBunny hacker, be staked in their platform and auto-compounded. The next thing you know, they were also attacked Grin

Exploiter used $36,800,000, 100,000 BNB for the attack, and approximately 2,500 BNB was exploited — $822,800. 100,000,000 SHARK tokens were minted and used to drained all the liquidity in the LP pool because our token market cap was small (only at $2,000,000 approx) SHARK tokens, which are sold immediately via 1inch -> AnySwap.

3. Merlin Lab - ~$680,000

1. Added a small sum of deposit to the LINK-BNB Vault (with this transaction).
 
2. Send 180 CAKE to the LINK-BNB Vault contract. (this is important! this is the key that leads to the hack.)

3. Call getReward with the deposit of LINK-BNB Vault from the first step.

4. With the rather large amount of CAKE token in the wallet balance of the vault contract (sent by the hacker at step 2), it returned a large amount of profit (see detailed analysis below). As a result, the system minted 100 MERLIN as a reward to the hacker.
   
5. Repeated 36 times. Got 49K of MERLIN token in total.
   
6. Swapped MERLIN token into 240 ETH and transferred out of BSC using Anyswap.

Few hours after the attack, another hacker exploited another error in their code - lost ~$550,000.

Did you see they got hit *AGAIN* like 5 hours later for another 200+ ETH by a completely different exploit once they turned minting back on? 

https://bscscan.com/tx/0x664cbe3af9d7627819e1955a90d777d6cf492021eede057bc52686186da192e5 

This one takes advantage of a (intentional?) mistake in their new priceCalculator that misprices only BAND.

4. BurgerSwap ~$7,000,000

1. At around 3 am on May 28th (UTC+8) #BurgerSwap on the BSC chain encountered a flash loan attack; $7.2M was stolen from #BurgerSwap in 14 transactions;

2. Here is the core of the attack, Hackers created their own Fake Coin (non-standard BEP-20 tokens) and formed a new trading pair with $BURGER

3. by adjusting the routing, attacker created $BURGER -> Fake Coin -> $WBNB routing; through $BURGER -> Fake Coin trading pair, attacker re-entered  BurgerSwap  through Fake Coin & manipulated  number of reserve0 and reserve1 in the pair’s contract, causing the price to change

4. Then re-enter the transaction again and trade back the $WBNB, to obtain the extra amount of WBNB inputted

5. Using WBNB as an example to illustrate the details of the attacks:
(1) Attacker flash swapped 6,000 $WBNB ($2M) from PancakeSwap;
(2) Then swapped almost all $WBNB to 92,000 $BURGER on BurgerSwap
(3) Created pair with a fake token on BurgerSwap & added 100 fake tokens and 45k $BURGER to pool;
(4) Swapped 100fake tokens to 4,400 $WBNB through the pool;
(5) Because of reentrancy in time of transfer fake token, attacker did another swap from 45k $BURGER to 4.4k $WBNB
(6) In total attacker received 8,800 $WBNB in the two latest steps;
(7) Swapped 493 $WBNB to around $108,700 BURGER on BurgerSwap;
(8. Attacker repay the flash swap

All mentioned platforms have already set up ways to recover from the exploits. Follow their progress if you've invested in their platform or bought their token/s.

For those interested in keeping up with these kind of news, follow https://rekt.news/
Jump to: