Pink Lightning

Flash Loan Hackers Drain $16M+ From DeFi Protocols in One Week

Hackers were able to drain $16.4 million in ETH and Dai from DeFi projects Akropolis, Value DeFi Protocol, and Origin Protocol using flash loans, just in the past week.

Value DeFi Attack

An attacker on Value DeFi swapped flash-loaned ETH for DAI and USDT, deposited part of the flash-loaned DAI into Value DeFi’s multi-stablecoin vault. They then conducted a series of stablecoin swaps between USDT, USDC, and DAI designed to exploit the pricing used by the Value DeFi vault’s withdrawal method, resulting in a loss of $7.4M, before the hacker returned $2M, according to the team’s post-mortem

Value DeFi has halted vaults as every depositor’s balance is captured before the time of the attack to calculate exact compensation amounts. 

Transaction details for Value hack (notice the just $60 tx fee). Source: Etherscan

Origin & Akropolis Attacks

For Origin Protocol, which was hacked for $7M, this method continues with washing and rinsing the flash loans on liquidity platforms such as Uniswap. Meanwhile, deposits to vaults are disabled as the company warns not to buy any OUSDs as current prices do not reflect its underlying assets. The team anticipates a plan to compensate users if Origin is unable to recoup user deposits.

For Akropolis the incident, resulting in $2M drained, was due to an exploitation of pooltokens minted without being backed by assets. Akropolis has added checks for deposit tokens and re-entrancy guards for deposits and withdrawals. Next week the team plans to do additional contract testing and gradually re-open AKRO & ADEL staking pool for deposits.

Flash Loans

Flash loans allow users to borrow from a DeFi protocol without putting up collateral as long as the loan is paid back on the same block. This has enabled speculators to exploit protocol vulnerabilities without the need of massive amounts of initial capital. These attacks have been on the rise as 2020 has lured in new users with generous APYs (annual percentage yield) that surpass traditional banking accounts. 

Sentiment in the DeFi community is split among those who see flash loans as dangerous tools, which jeopardize users’ funds, while others believe they simply allow protocol flaws to be exposed sooner. If one thing is clear, they’re helping weed out weaknesses in the space, albeit at a high cost for some users. 

As we approach the end of 2020, $346 million has been stolen across DeFi protocols to date, according to Crypto Briefing. What is next for these protocols is working with security firms to retrace and retrieve the lost funds.