On Aug 25, 2021, Defi protocol Dot Finance was exploited for ~$429K in a lightning loan attack which reduced the protocol’s value by 35 %. The attackers utilized flash loans to manipulate the token prices.
Table of Contents
Dot Finance, operating on the BSC, fell victim to a flash loan attack on August 25th. The attack resulted in a nearly 35% reduction in the protocol’s value.
The attack was executed through a series of transactions involving specific addresses and contracts, and its impact on the platform’s security and financial health is a cause for concern. The attacker gained about ~$429K from this incident.
Hacker’s Actions and Exploited Vulnerability
The hacker’s address involved in the attack is
The attack was orchestrated using a contract address
0x33f9bB37d60Fa6424230e6Cf11b2d47Db424C879 which the attacker created.
The attack involved a sequence of functions and transactions:
- The attacker initiated the attack by utilizing the PancakePair swap function.
- The attacker leveraged a flash loan from PancakeSwap, acquiring 100 Cake tokens as initial funds.
- The Cake tokens were inserted into the VaultPinkBNB contract, enabling the execution of the getReward function.
- The getReward function utilized the balanceOf(address(this)) method to determine the contract’s Cake token balance.
- Through this balance, the attacker manipulated the performanceFee parameter, significantly impacting the actual value of Cake tokens
- Subsequently, the mintFor function exploited the altered performanceFee parameter to generate a substantial amount of pink tokens, effectively rewarding the attacker.
- The Attacker then deposited the stolen amount to Tornado.cash via multiple transactions.
Implications and Lessons Learned
This attack bears resemblance to previous incidents targeting PancakeBunny, and Cream Finance reflects a pattern of similar attacks.
The flash loan attack on Dot Finance highlights the vulnerability of DeFi protocols to sophisticated exploitation techniques.
The attack’s impact on Dot Finance’s value and security prompts a call for heightened security measures within the BSC ecosystem.
The incident serves as a reminder of the ever-present risks associated with DeFi platforms and the pressing need for proactive security strategies to safeguard user funds and platform integrity.