dForce contacted the hacker via blockchain transaction, offering to negotiate a bounty. Several days later, the project tweeted that the attacker had "c[o]me forward as a whitehat", and that the funds had been fully returned. "We have agreed to offer a bounty and will drop all on-going investigation and law enforcement actions," they announced.
dForce Network exploited for $3.65 million, funds returned
An attacker using flash loans to exploit a common re-entrancy vulnerability siphoned $3.65 million from the dForce defi project on both Arbitrum and Optimism, which are Ethereum layer-2 networks. The exploit, which involves manipulating the oracle price in Curve liquidity pools, is a common one that was first reported to Curve in April 2022 and disclosed in October 2022. It has been used to attack various other projects, including QiDAO.
DFX Finance suffers $5 million loss
An attacker was able to use a flash loan to exploit a vulnerability in the smart contract for DFX Finance, a decentralized forex trading platform. The platform suffered a loss amounting to around $5 million. The attacker subsequently laundered the funds through the Tornado Cash cryptocurrency tumbler. The attacker didn't make off with the entire amount lost from the platform, partly due to an MEV bot snagging a significant amount of the funds.
Earning.Farm exploited for $971,000, exploiter gets frontrun by MEV bot
The defi project Earning.Farm lost 748 ETH (~$971,000) to a hacker using a flash loan attack. The project contract was missing a check that a flash loan was initiated by the protocol, so the attacker was able to instruct the project to withdraw large amounts of funds, which they then were able to transfer to themselves.
Amusingly, one of the transactions by the hacker was frontrun by a MEV bot known as 0xa57, which made a tidy 480 ETH (~$623,000) from the attack. The second transaction succeeded, landing the attacker 268 ETH (~$348,000). According to a MEV researcher, 0xa57 has been known to return funds that were obtained as a result of a hack.
More than $1.1 million stolen from Sovryn defi protocol
Bitcoin-based defi protocol, Sovryn, lost $1 million to a price manipulation attack. An exploiter was able to use the project's legacy lend and borrow functionality to maliciously withdraw 44.93 RBTC (~$915,000) and 211,045 USDT.
According to the protocol, their developers "were able to identify and recover funds as the attacker was attempting to withdraw the funds". They have also announced that Exchequer, the project's treasury committee, would "reinject" the remaining stolen funds.
- "Bitcoin Defi Protocol Sovryn Gets Hacked for Over $1 Million", CryptoPotato
- "Interim Exploit Update", Sovryn
New Free DAO loses $1.25 million in flash loan attack
A flash loan attack against the New Free DAO project resulted in a $1.25 million loss. The project's token also crashed 99% in the wake of the theft. The hacker quickly sent 1,500 BNB (~$415,000) of the stolen funds through the Tornado Cash cryptocurrency mixer, and sent another 2,900 (~$803,000) to the PancakeSwap decentralized exchange.
Flash loan attack nets attacker $370,000 from several sources
An attacker using the Avalanche blockchain successfully executed a flash loan attack impacting one contract and several other liquidity providers. The attacker made around $370,000 in USDC from the attack.
Nirvana Finance drained of $3.5 million
The Solana-based yield farming project, Nirvana Finance, was exploited by an attacker who used flash loans to drain the project of just under $3.5 million. The attacker took out a $10 million loan from the Solend project, used it to mint ANA tokens, swapped the ANA for $13.5 million, and then repaid the loan. The attack was similar to the attack on Crema Finance earlier in the month.
The attack caused the project's ANA token to plunge in value by 80%, and the project's NIRV stablecoin to lose its dollar peg, falling to $0.08. Nirvana Finance tweeted, "Please be advised: ANA has lost its collateral, and NIRV has lost its peg. Until the thief restores funds, these tokens will not have exchange value. Be very careful with trading NIRV & ANA, as they currently have no guaranteed value."
They also tweeted at the hacker, promising to stop investigating the hacker's identity and to pay a $300,000 "bounty" in exchange for the funds back. They wrote, "You have not taken money from VCs or large funds — the treasury you have taken represents the collective hopes of everyday people."
The project had promised its users over 60% APY, and its Twitter account described ANA as "the balanced risk investment with adaptive yield".
Hackers steal $1.43 million from Omni NFT lending platform
Hackers used a flash loan attack to steal around 1,300 ETH ($1.43 million) from the NFT lending platform Omni. Omni allows users to borrow cryptocurrency against their NFTs.
Hackers used NFTs from the popular Doodles collection as collateral to borrow wETH, then withdrew all but one of the NFTs, allowing them to perform a re-entrancy attack. The attacker then laundered the funds using the Tornado Cash cryptocurrency tumbler.
According to Omni, only funds belonging to the platform that were being used for testing were taken by the attacker.
- "Hacker drains $1.4 million worth of ETH from NFT lender Omni", The Block
- Exploiter wallet on Etherscan
Hacker steals over $1.2 million from Inverse Finance, their second such exploit in under three months
A hacker was able to perform an oracle manipulation attack enabled by flash loans to siphon crypto worth around $1.26 million from Inverse Finance. The loss to the protocol was higher, at around $5.8 million. The attacker has already moved most of the stolen funds to the Tornado Cash cryptocurrency tumbler.
Inverse Finance is a borrowing and lending protocol that was hit with a different oracle manipulation attack in early April, which resulted in a $15.6 million loss.
Flash loan attacks on "Feed Every Gorilla" token take $1.9 million
A flash loan attack on the "Feed Every Gorilla" (FEG) token swap contracts pulled $1.3 million from the project, also tanking the token price by 80%. The project operates on both the Ethereum and BSC chains, and the attacker was able to use the exploit against the contracts on both networks. Shortly after the first attack, FEG was hit with a second flash loan attack that drained another $590,000 from the project.
Prior to these attacks, FEG had earned some notoriety from a May 2021 Vanity Fair article outlining an alleged pump-and-dump scheme, titled "Inside the Rise and Fall (and Rise and Fall) of Shit Coins". Despite the bad press, much of the FEG community maintained that the article was a smear and nothing more than an attempt by the author to create FUD. "You could literally take every token and this would apply to everyone..." wrote a moderator of the official FEG subreddit.