The Binance Smart Chain (BSC) has seen a number of flash loan attacks in recent months. This week has been remarkable, however, as one attacker has exploited two DeFi (decentralized finance) protocols just days apart, with one of those protocols being exploited twice in one day.
Impossible Finance (IF), a DeFi BSC-based protocol, was the victim of a flash loan attack on Monday, the 21st of June at around 4:40 AM UTC. The protocol fell from $3.77 to a low of $0.14 the following day, a -96.3% drawdown. Impossible Finance notably raised $7 million just a few weeks ago.
The exploiter used the address: 0x8e0D334A77614a7ce089C9246e9B1d7C7172eF02 to receive the stolen funds, and a smart contract: 0xC7CA5478a41D58E73f0487b0F4084B6120Aa11e6 to exploit the Impossible Finance platform for approximately $0.5M (229.84 ETH).
The hacker attacked numerous pools and made off with BUSD, BNB, and IF governance tokens, which were later bridged using the AnySwap protocol to be transferred to the Ethereum blockchain.
Impossible Finance exploited smart contracts list:
• 0x8cCB8A6b0E7bACeb73034389C4Ea1e7E17b4Cf47- block: 8480453, tx hash: 0x3e881612ffc84042b5691fda740872760db61b384e99d918e24ddac54f7e2fc, WBNB vault: 0x41eaA9a485b472581C56b236ff5CC6C4703Ae955
• 0xf401b25d57f9e0f7b822eec1b9030b633238fb5b- block: 8480453,tx hash: 0xfc4231a65c9084da48450947ad1e036e1fe6142640679318b99cc3b45265e036, IF vault: 0x2419fF7FD12b8D6fC47624eb4914643E215100c2
• 0x6a2AEf2571A9260beF104B5506316EA09093E261,- blocks: 8480454, tx hash: 0xf1fb946e452a5ca233b37c19d7debba39505226c5bb262382907b29c1460ae17, IF vault: 0x0C09d3F6906152eBa4AF6cA6c4597d82d308272d, 8480470, tx hash: 0x39980eb39150206fd502219b808ee1bd55ee8c008ea613ad7c43cb09b22cbd89, IF vault: 0x0Ef5BB19e9a509502301A94aCcd4C09f717aF416, 8486672, tx hash: 0x52ce22f7a5e33132839d066da3ea01b4a0ca8c694c5d85d8943dd050a46e5802, IF vault: 0x6cF588012aF2aB54359dCD1BaA90D782977F2aCb
• 0xf45a500fd92dcd370244f169f1c68835dc8b1ff7- block: 8480454, tx hash: 0xa00f47c8b48522b53d3a655ef8dff163e5ccb066e7f017b9592c70a0efc38062, BUSD vault: 0x4869ADf92ca3404d7a876d23585aB60a8D9Ef1ee
• 0x8aE4DfFbf44C1C6c4C18489914401ef830Ee146D- block: 8480455, tx hash: 0x0220704a99ddfb982d26e65cc337f26b77dc057930b7aa1d848cc48ec77984a8, IF vault: 0x1a9FEBDB26c700fF585E1abf80D35f6ABC9715f8
After exploiting the Impossible Finance platform, the exploiter exchanged the stolen tokens to anyETH tokens and transferred them to 0x8e0D334A77614a7ce089C9246e9B1d7C7172eF02 via the Nerve Bridge. The hacker had clearly set out to use the address for nefarious means, as the first incoming transaction onto this wallet came through Tornado Cash, an Ethereum mixer, on the 21st of May.
But the Impossible Finance exploit seemed to be just the beginning of the week for this black hat hacker.
On Wednesday 23rd June, Eleven Finance (EF), a yield aggregator on both BSC and Polygon (MATIC), was attacked twice on the same day, with one exploit being carried out by the same attacker responsible for the Impossible Finance flash loan attack. The exploits abused the Nerve (NRV) vaults on the EF DeFi protocol.
The 1st Eleven Finance exploit – occurring around 11 PM 22nd June – funds were sent to 0xc71e2F581b77De945C8A7A191b0B238c81f11eD6, and cost the protocol a cool 2,293 ETH ($4,566,495). Two hours before the attack, a small amount of funds used to pay for gas fees in the attack had passed through Typhoon Cash. Some ETH funds have since moved out of the wallet through Tornado Cash.
The 2nd Eleven Finance exploit – occurring at around 2 AM 23rd June, just 3 hours after the first – funds were sent to 0x8e0D334A77614a7ce089C9246e9B1d7C7172eF02, the same receiving address as the one used in the Impossible Finance exploit. In this second Eleven Finance exploit, the hacker made off with 129 ETH (259,200 USD). Before the flash loan attack, a small amount of the exploiter’s BSC-based funds were passed through Typhoon Network, a BSC mixer, before being bridged into ETH with Nerve – somewhat ironically as some of the EF vaults that were exploited were denominated in NRV – to pay for gas fees of the attack. After the flash loan attack, the funds have since stayed on the hacker’s wallet (alongside the stolen IF assets).
Although protocols have been known to get flash loan attacked twice on the same day, it is a rare occurrence. Owing to the close timeframe between the 1st and 2nd EF exploits, it is highly likely it is either the same hacker or group.
In addition, it is possible that the hacker is either the same or a copycat of the BurgerSwap hacker from the 28th of May – where $7.2 million was stolen – as the same line of code of BurgerSwap and Impossible Finance was seemingly abused.
The postmortem Medium post by Impossible Finance acknowledged that “The truth is […] our swap was attacked due to the missing x*y=k condition”. In the analysis on the IF exploit, Watch Pug states: “The original Uniswap LP contract includes an important check that enforces x*y=k. It’s missing in the cheapSwap() function. With the K check missing, the impossible is now possible.” According to Mudit Gupta, a core developer of SushiSwap, the missing function is that the code should read x*y >=k. “The swap function is supposed to verify x*y >= k which basically verifies that the contract got enough input tokens required to do the swap.”, Gupta stated on the BurgerSwap attack.
Either way, the concept is the same – the x*y figure should not be less than k. If the x*y>k check is missing, any user can create a swap of any output size whilst only paying a single unit of an input token. All for one.
Coinfirm closely monitors DeFi vulnerability attacks and is actively preventing tainted funds from mixing with the ecosystem with the AML Oracle.
What is a Flash Loan Attack?
A flash loan attack is where a hacker finds a vulnerability in a protocol and uses a flash loan to exploit the price of an asset. An attacker takes out a flash loan (a type of uncollateralized loan) from a lending protocol and utilizes it in tandem with a number of other forms of duplicity to manipulate a particular market to their favor. Flash loan attacks can occur in just seconds but involve four or more DeFi protocols. Because they are uncollateralized loans, the loan must be paid back at the end of the same transaction. Flash loans do have a legitimate purpose, that typically being to take advantage of arbitrage. This is a healthy activity as arbitrage traders equalize prices across the market and thus provide a price finding function.
For example, if ETH is $2,000 on Exchange A and $2,500 on Exchange B, an arbitrage trader can borrow through this kind of loan and conduct a separate order to buy 100 ETH for $200,000 at Exchange A, dump the ETH for $250,000 on Exchange B and give back the 200k they borrowed. In this example, the trader can then go home with the 50k difference, after transaction costs and slippage etc.
Flash loan attacks are cheap (no collateral required), low risk (whilst planning takes time, the execution takes seconds) and high reward schemes as seen from above and other examples such as the recent PancakeBunny exploit. These reasons make them attractive to criminals as flash loan attacks do not require vast amounts of resources such as 51% attacks but merely the ingenuity of the attacker.
How can misappropriated funds be traced through the blockchain?
Coinfirm has just unveiled a new feature of the AML Platform: C-Live Tracking.
Over 90% of crypto fraud and crime remains unsolved due to a lack of real-time asset tracking, knowledge and the international nature of cases.
C-Live changes this. By utilizing Coinfirm’s partner network, real-time tracking of stolen funds through the blockchain and expert fraud investigators, victims can gain the upper hand.
