New Free DAO Hack Review

New Free DAO Hack review by SmartState

The project New Free DAO suffered a fierce flashloan attack on September, 8th and lost almost four and a half thousand BNB (which equals 1.25 mln US dollars), as PeckShield warned the users soon after.

Flashloan attack is a kind of DeFi attack, when the hacker takes out a ‘flash loan’ (a form of uncollateralized lending) from a lending protocol and uses it in conjunction with various types of gimmickry to manipulate the market in their favor. The intruder stole BNB tokens, created on the basis of BSC, converted them into dollars and made a huge withdrawal.

The villain exploited the vulnerability of the smart contract https://bscscan.com/address/0x8b068e22e9a4a9bca3c321e0ec428abf32691d1e which contained a specific function 0x6811e3b9.

This function is aiming at rewarding users in NFD tokens, on the account of their NFD balance. The hacker borrowed 250 WBNB by means of a flashloan and then swapped them into tokens.

Then the villain created several additional contracts (such as https://bscscan.com/address/0x9f49375d30dd556776c14e95fb2502ac7e09a281) to transfer the stolen amount to. Each of them represented a separate user for the NFD vulnerability. As a result all those contracts called up the vulnerable 0x6811e3b9 function on the vulnerable contract and claimed the reward, which this function was used to give.

The attack transaction:

https://bscscan.com/tx/0x1fea385acf7ff046d928d4041db017e1d7ead66727ce7aacb3296b9d485d4a26

Then the villain has swapped their tokens and returned the flashloan. Finally the total loss equaled approx. 4481.3 BNB.

As a result, the NFD token zeroed its price, having lost 99% of its value.

Flashloan attacks are quite frequent these days and several blockchain platforms went through them (such as Avalanche and Curve Finance). It is considered one of the ‘favorite’ among notorious users.

SmartState: New generation of smart contract audit

About SmartState

Launched in 2019 and based in Dubai, SmartState is one of the leading DeFi security auditing firms. We validate smart contract and blockchain security for any type of vulnerabilities.

The services we provide go beyond the classic practice of auditing smart contracts in the DLT project. SmartState specializes on manual testing, so our team of white-hat security professionals assesses a project’s git in detail and provides guidelines for its further advancement.

We also check projects for threats and vulnerabilities which may appear in the future, as the network achieves scalability and accommodate more functionality and use cases.

Stay tuned and find out more about us and what we provide on our:

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
SmartState.tech

SmartState.tech

SmartState is an independent audit company for DLT projects. It performs smart contract audit and security reviews and provides reco for improvements.