New Free DAO Hack Review
3 min readSep 8, 2022


New Free DAO Hack review by SmartState
New Free DAO has been attacked, the villain has stolen more than ~1,25 mln US dollars.

The project New Free DAO suffered a fierce flashloan attack on September, 8th and lost almost four and a half thousand BNB (which equals 1.25 mln US dollars), as PeckShield warned the users soon after.

Flashloan attack is a kind of DeFi attack, when the hacker takes out a ‘flash loan’ (a form of uncollateralized lending) from a lending protocol and uses it in conjunction with various types of gimmickry to manipulate the market in their favor. The intruder stole BNB tokens, created on the basis of BSC, converted them into dollars and made a huge withdrawal.

The villain exploited the vulnerability of the smart contract which contained a specific function 0x6811e3b9.

This function is aiming at rewarding users in NFD tokens, on the account of their NFD balance. The hacker borrowed 250 WBNB by means of a flashloan and then swapped them into tokens.

Then the villain created several additional contracts (such as to transfer the stolen amount to. Each of them represented a separate user for the NFD vulnerability. As a result all those contracts called up the vulnerable 0x6811e3b9 function on the vulnerable contract and claimed the reward, which this function was used to give.

The attack transaction:

Then the villain has swapped their tokens and returned the flashloan. Finally the total loss equaled approx. 4481.3 BNB.

As a result, the NFD token zeroed its price, having lost 99% of its value.

Flashloan attacks are quite frequent these days and several blockchain platforms went through them (such as Avalanche and Curve Finance). It is considered one of the ‘favorite’ among notorious users.

SmartState: New generation of smart contract audit
SmartState: New generation of smart contract audit

About SmartState

Launched in 2019 and based in Dubai, SmartState is one of the leading DeFi security auditing firms. We validate smart contract and blockchain security for any type of vulnerabilities.

The services we provide go beyond the classic practice of auditing smart contracts in the DLT project. SmartState specializes on manual testing, so our team of white-hat security professionals assesses a project’s git in detail and provides guidelines for its further advancement.

We also check projects for threats and vulnerabilities which may appear in the future, as the network achieves scalability and accommodate more functionality and use cases.

Stay tuned and find out more about us and what we provide on our:



🇦🇪 Dubai-based enterprise level Web3 security company. Top-notch smart contract audits & blockchain security solutions 🚀🔒