New Free DAO’s $1.25M Flash Loan Attack Explained | QuillAudits

Published in

QuillHash

4 min readSep 15, 2022

Summary:

On the 8th of September, 2022, New Free DAO was exploited with a flash loan attack. From this exploit, The attacker made a profit of 4481 WBNB (approx. ~$1.25M) causing the native token $NFD to slip in price by 99%.

Introduction to Protocol and How its tech works.:

New Free DAO is a ‘DAO project’ on BNB Chain. DAO stands for ‘decentralized autonomous organization’, where governance decisions are made by the broader community and often voted on by holders of the entity’s native($NFD) token. $NFD was created to offer a variety of features and was specifically designed for NFT purposes.

Vulnerability Analysis & Impact:

Before getting deep into it, Lets first understand what Flash Loans Attacks are:

FlashLoans Attack:

A flash loan attack is an abuse of the smart contract security of a particular platform in which an attacker usually borrows a lot of funds that don’t require collateral. They then manipulate the price of a crypto asset on one exchange and quickly resell it on another one.

Check out this blog by quillhash for further details.

Attack Steps:

The attacker first deployed an unverified contract and called the function addMember() to add itself as a member. Hacker’s address: 0x22c9736d4fc73a8fa0eb436d2ce919f5849d6fd2

2. The attacker borrowed around 250 WBNB via flash loan from pancakeswap to the deployed contract. Further, he swapped WBNB for NFD tokens and transferred them to the attacking contract.

https://cdn-images-1.medium.com/max/1067/0*QaBLsMHucDfHiknZ

3. The attacker then called 0xe2f9d09c function in the contract, which calls the reward contract function to claim rewards. The attacker then created multiple new contracts and repeated the process to claim rewards.

4. Finally, after obtaining the rewards, the hackers converted the NFD tokens back to WBNB, which was around 3202 WBNB. The attacker then repaid the flash loan, i.e. 250 WBNB, to PancakeSwap and made a profit of 2952 WBNB.

Similarly, the attacker executed the transaction 3 times in total and made a profit of 4481 WBNB, which is approximately $1.25 Million.

After the Exploit :

The exploit caused the native token of New DAO to crash by 99%.

Status of Stolen Fund:

The stolen funds were deposited into TornadoCash. About 500 BNB has been transferred to the mixer so far. 1081 BNB and $790K BUSD remain in the attacker contract. More info can be found here.

Prevention for Flash Loan Attacks:

Recently there has been a massive increase in flash loan attacks in the DeFi space. Their occurrences have given birth to two popular solutions. Check out here for a detailed explanation.
1. Decentralized Pricing Oracles
2. Implementation of DeFi Security Platforms