Nirvana Finance hack: SmartState Overview
Recently, July 28, 2022, Nirvana Finance got hacked. Total loss from the hack amounted to $3.49M and the ANA token has fallen by more than 80%.
Below is the SmartState overview of the incident.
Exploit transaction:
Attacker’s account:
https://solscan.io/account/76w4SBe2of2wWUsx2FjkkwD29rRznfvEkBa1upSbTAWH
The attacker has created their own program for the exploit:
https://solscan.io/account/62o4UiW394cbFXtVHbCyuA7DDeRL26bnpfDDPXpm7PRR.
It was closed on-chain as soon as they performed an exploit of Nirvana Finance.
In order to perform an exploit, the attacker has utilized Solend’s flashloans. They have borrowed ~10M USDC to manipulate the price of the ANA token, which belongs to Nirvana Finance. The price has been driven from ~$8 to ~$24.
After manipulating the price, the attacker was able to drain Nirvana Finance treasury pools and claim 3.49M USDT at an inflated rate.
Summary
This attack route became possible because of a logic error in the interaction between the smart contracts and the oracle.
To avoid such situations, it was necessary to set up a check in case of a sharp change of the price value compared to the previous one.
In SmartState, logic errors are checked using manual testing, since automated tests are unable to detect this type of errors.
Stay tuned and know more about us and what we provide on our:
