Amusingly, one of the transactions by the hacker was frontrun by a MEV bot known as 0xa57, which made a tidy 480 ETH (~$623,000) from the attack. The second transaction succeeded, landing the attacker 268 ETH (~$348,000). According to a MEV researcher, 0xa57 has been known to return funds that were obtained as a result of a hack.
Earning.Farm exploited for $971,000, exploiter gets frontrun by MEV bot
The defi project Earning.Farm lost 748 ETH (~$971,000) to a hacker using a flash loan attack. The project contract was missing a check that a flash loan was initiated by the protocol, so the attacker was able to instruct the project to withdraw large amounts of funds, which they then were able to transfer to themselves.
More than $1.1 million stolen from Sovryn defi protocol
Bitcoin-based defi protocol, Sovryn, lost $1 million to a price manipulation attack. An exploiter was able to use the project's legacy lend and borrow functionality to maliciously withdraw 44.93 RBTC (~$915,000) and 211,045 USDT.
According to the protocol, their developers "were able to identify and recover funds as the attacker was attempting to withdraw the funds". They have also announced that Exchequer, the project's treasury committee, would "reinject" the remaining stolen funds.
- "Bitcoin Defi Protocol Sovryn Gets Hacked for Over $1 Million", CryptoPotato
- "Interim Exploit Update", Sovryn
New Free DAO loses $1.25 million in flash loan attack
A flash loan attack against the New Free DAO project resulted in a $1.25 million loss. The project's token also crashed 99% in the wake of the theft. The hacker quickly sent 1,500 BNB (~$415,000) of the stolen funds through the Tornado Cash cryptocurrency mixer, and sent another 2,900 (~$803,000) to the PancakeSwap decentralized exchange.
Flash loan attack nets attacker $370,000 from several sources
An attacker using the Avalanche blockchain successfully executed a flash loan attack impacting one contract and several other liquidity providers. The attacker made around $370,000 in USDC from the attack.
Nirvana Finance drained of $3.5 million
The Solana-based yield farming project, Nirvana Finance, was exploited by an attacker who used flash loans to drain the project of just under $3.5 million. The attacker took out a $10 million loan from the Solend project, used it to mint ANA tokens, swapped the ANA for $13.5 million, and then repaid the loan. The attack was similar to the attack on Crema Finance earlier in the month.
The attack caused the project's ANA token to plunge in value by 80%, and the project's NIRV stablecoin to lose its dollar peg, falling to $0.08. Nirvana Finance tweeted, "Please be advised: ANA has lost its collateral, and NIRV has lost its peg. Until the thief restores funds, these tokens will not have exchange value. Be very careful with trading NIRV & ANA, as they currently have no guaranteed value."
They also tweeted at the hacker, promising to stop investigating the hacker's identity and to pay a $300,000 "bounty" in exchange for the funds back. They wrote, "You have not taken money from VCs or large funds — the treasury you have taken represents the collective hopes of everyday people."
The project had promised its users over 60% APY, and its Twitter account described ANA as "the balanced risk investment with adaptive yield".
Hackers steal $1.43 million from Omni NFT lending platform
Hackers used a flash loan attack to steal around 1,300 ETH ($1.43 million) from the NFT lending platform Omni. Omni allows users to borrow cryptocurrency against their NFTs.
Hackers used NFTs from the popular Doodles collection as collateral to borrow wETH, then withdrew all but one of the NFTs, allowing them to perform a re-entrancy attack. The attacker then laundered the funds using the Tornado Cash cryptocurrency tumbler.
According to Omni, only funds belonging to the platform that were being used for testing were taken by the attacker.
- "Hacker drains $1.4 million worth of ETH from NFT lender Omni", The Block
- Exploiter wallet on Etherscan
Hacker steals over $1.2 million from Inverse Finance, their second such exploit in under three months
A hacker was able to perform an oracle manipulation attack enabled by flash loans to siphon crypto worth around $1.26 million from Inverse Finance. The loss to the protocol was higher, at around $5.8 million. The attacker has already moved most of the stolen funds to the Tornado Cash cryptocurrency tumbler.
Inverse Finance is a borrowing and lending protocol that was hit with a different oracle manipulation attack in early April, which resulted in a $15.6 million loss.
Flash loan attacks on "Feed Every Gorilla" token take $1.9 million
A flash loan attack on the "Feed Every Gorilla" (FEG) token swap contracts pulled $1.3 million from the project, also tanking the token price by 80%. The project operates on both the Ethereum and BSC chains, and the attacker was able to use the exploit against the contracts on both networks. Shortly after the first attack, FEG was hit with a second flash loan attack that drained another $590,000 from the project.
Prior to these attacks, FEG had earned some notoriety from a May 2021 Vanity Fair article outlining an alleged pump-and-dump scheme, titled "Inside the Rise and Fall (and Rise and Fall) of Shit Coins". Despite the bad press, much of the FEG community maintained that the article was a smear and nothing more than an attempt by the author to create FUD. "You could literally take every token and this would apply to everyone..." wrote a moderator of the official FEG subreddit.
Saddle Finance loses more than $11 million to hack
An exploiter used a flash loan attack to pull 3,933 ETH (~$11 million) from the "decentralized automated market maker" Saddle Finance. Shortly after the attack, the hacker began moving the stolen funds through the Tornado Cash tumbler to launder the money.
Saddle Finance had lost money once before, hours after it launched in January 2021. An individual was able to arbitrage Saddle Finance pools for a profit of around $275,000.
- Tweet thread by PeckShield
- "Update on Saddle’s Launch", Saddle Medium
Deus Finance exploited for $13.4 million in the second hack in two months
The defi project Deus Finance was hit with a flash loan attack that netted the hacker $13.4 million. The loss to the protocol was likely larger than what the hacker was able to withdraw, though Deus announced that no users had been liquidated and that "the loss is on the protocol".
Deus had suffered a similar attack in March, with an attacker using a flash loan attack to steal more than $3.1 million. Deus reimbursed users who were liquidated in the incident.
According to Deus' CEO, the exploit in this incident was not the same one used in the previous attack. He wrote on Twitter that the exploit was "the first of its kind, a zero-day exploit on Solidly [decentralized crypto exchange] swaps".