The latest DeFi incursion involves flash loans … again.
DeFi lending protocol Warp Finance has reportedly suffered a flash loan attack resulting in the loss of as much as $8 million in digital assets.
Reports are coming in that an attacker has made off with between $1 million, to as much as $8 million according to DeFi Prime. The losses follow a series of flash loans that have exploited vulnerabilities in the Warp Finance protocol.
Warp Finance is a new DeFi platform announced in early November that enables users to deposit liquidity provider (LP) tokens from other protocols and receive stablecoin loans in exchange.
The Warp Finance Twitter feed didn’t provide any details at the time of writing aside from this:
“We are investigating irregular stablecoin loans taken out in the last hour, we recommend that you do not deposit anymore stablecoins until we have clarity on the irregularities,”
One user [@Swind11001] responded to the notice claiming to have lost 40,000 DAI;
“Please help me. This is the first time that I use defi. I have invested 40000 Dai in total. This money is all my savings. I can’t live without it.”
DeFi analysis portal DeFi Prime has highlighted the suspicious transaction in question;
⚠️ Flash loan attack on a Warp protocol ⚠️
About $8m stolen ♂️
This TX ⤵️https://t.co/CMEPxk4838
— defiprime (@defiprime) December 17, 2020
White hat hackers are investigating the spurious transactions that led to the incursion. Co-founder of the Marqet Exchange, Emiliano Bonassi, has been delving in to what happened stating;
“This is the second attack which uses multiple flash liquidity, flash swaps via Uniswap and flash loans via dYdX,”
He added that the attacker asked for three wrapped Ether loans via flash swaps to three different pools on Uniswap and two more on the dYdX trading platform. The funds were then used to mint WETH/DAI liquidity pool (LP) tokens which were used as collateral on Warp Finance in order to clear out its USDC and DAI vaults.
A flash loan is when crypto collateral is borrowed and repaid within the same transaction. Smart contract audits, such as the one conducted for Warp by Hacken, do not necessarily protect against them since they exploit the design of the system.
The attack vector has been the weapon of choice for crypto thieves from DeFi protocols this year with several protocols including bZX, Balancer, Origin Protocol, Akropolis, and Harvest Finance all falling victim. Warp Finance appears to be the latest casualty.