Flash loans have become the new bane of the crypto industry. Literally, a day after a flash loan attack was carried out on Avalanche, another has taken place on the decentralized finance (DeFi) protocol, New Free DAO (NFD). Reportedly, the attack resulted in a loss of $1.25 million. The price of the project’s native token has fallen by 99% since the attack.
CertiK, the blockchain security firm, took to Twitter and informed the larger crypto community about the attack. The attacker reportedly utilized the function “addMember()” to add them-self as a member and then deployed an unconfirmed contract. The attacker later used the unconfirmed contract to carry out three flash loan attacks.
According to CertiK, the attacker has ties to the Neorder attack from four months ago involving 930 BNB tokens.
In order to obtain rewards by engaging with the unverified contract, the attacker used the new attack contract to borrow WBNB via flash loan and exchange it for New Free DAO’s NFD tokens. With numerous newly made contracts, the attacker repeated the process.
CertiK also noted that the stolen funds are being deposited into Tornado Cash crypto mixer. So far, 400 BNB, worth $111K have been transferred to the mixer. The mixer has been at the center of some controversy of late. The platform was put under sanction by the US government, and one of its developers, Alexey Pertsev, was arrested.
A problem with New Free DAO contract?
Another security firm, Beosin, highlighted some issues with the New Free DAO protocol. According to the security firm, the price of NFD could be manipulated as they are determined by “using the balance of USDT in the pair, so it may lead to flash loan attack if exploited.”
Flash loans are becoming more common these days. They basically manipulate prices once the assailant takes out an unsecured loan. They are popular because they are relatively simple to carry out.