On Aug 25, 2021, Defi protocol Dot Finance was exploited for ~$429K in a lightning loan attack which reduced the protocol’s value by 35 %. The attackers utilized flash loans to manipulate the token prices.
Attack Overview
Table of Contents
Dot Finance, operating on the BSC, fell victim to a flash loan attack on August 25th. The attack resulted in a nearly 35% reduction in the protocol’s value.
The attack was executed through a series of transactions involving specific addresses and contracts, and its impact on the platform’s security and financial health is a cause for concern. The attacker gained about ~$429K from this incident.
Hacker’s Actions and Exploited Vulnerability
The hacker’s address involved in the attack is
0xDFD78a977c08221822F6699AD933869Da6d9720C.
The attack was orchestrated using a contract address
0x33f9bB37d60Fa6424230e6Cf11b2d47Db424C879 which the attacker created.
Attack Transaction:
0x68170a309ab2e944e178ccf9bf6f19e25a3f356031ce53539bb9669fc77172f2
Attack Analysis
The attack involved a sequence of functions and transactions:
- The attacker initiated the attack by utilizing the PancakePair swap function.
- The attacker leveraged a flash loan from PancakeSwap, acquiring 100 Cake tokens as initial funds.
- The Cake tokens were inserted into the VaultPinkBNB contract, enabling the execution of the getReward function.
- The getReward function utilized the balanceOf(address(this)) method to determine the contract’s Cake token balance.
- Through this balance, the attacker manipulated the performanceFee parameter, significantly impacting the actual value of Cake tokens
- Subsequently, the mintFor function exploited the altered performanceFee parameter to generate a substantial amount of pink tokens, effectively rewarding the attacker.
- The Attacker then deposited the stolen amount to Tornado.cash via multiple transactions.
Implications and Lessons Learned
This attack bears resemblance to previous incidents targeting PancakeBunny, and Cream Finance reflects a pattern of similar attacks.
The increasing frequency of such attacks on the BSC chain and other chains underscores the urgency of bolstering smart contract security measures.
Read More: Flash Loans in DeFi
Conclusion
The flash loan attack on Dot Finance highlights the vulnerability of DeFi protocols to sophisticated exploitation techniques.
The attack’s impact on Dot Finance’s value and security prompts a call for heightened security measures within the BSC ecosystem.
The incident serves as a reminder of the ever-present risks associated with DeFi platforms and the pressing need for proactive security strategies to safeguard user funds and platform integrity.