Home Web3 SecurityCrypto Hacks & Exploits New Free DAO Flash Loan Attack—Sep 8, 2022—Detailed Hack Analysis

New Free DAO Flash Loan Attack—Sep 8, 2022—Detailed Hack Analysis

by ImmuneBytes


On September 8, 2022, New Free DAO, a decentralized autonomous organization (DAO) on the BNB Chain, fell victim to a flash loan attack.

The attacker deployed an unverified contract, borrowed 250 WBNB via a flash loan, converted it to NFD tokens, claimed rewards, and profited by repeating this process.

The attacker executed this scheme three times, amassing 4481 WBNB (approximately $1.25 million) and causing a 99% drop in $NFD’s value.

About ‘New Free DAO’

New Free DAO, abbreviated as NFD, was established as a DAO project, allowing its community to participate in governance decisions through token-based voting. The native token of the project, $NFD, was designed to serve various functions, primarily catering to the NFT ecosystem.

What is a Flash Loan Attack?

A flash loan attack is a sophisticated exploitation of smart contract vulnerabilities that enables an attacker to borrow substantial funds without collateral. These funds are then used to manipulate cryptocurrency prices for profit.

Additional Read: Flash Loans: Building up or Breaking down the DeFi?

Attack Sequence

The attack on New Free DAO unfolded as follows:

Contract Deployment:

The attacker deployed an unverified contract and added themselves as a member using the “addMember()” function, identified by the address https://bscscan.com/address/0x22c9736d4fc73a8fa0eb436d2ce919f5849d6fd2

Hacker Address: 0x22c9736d4fc73a8fa0eb436d2ce919f5849d6fd2.

Flash Loan and Token Swap:

Borrowing around 250 WBNB via a flash loan from PancakeSwap, the attacker converted WBNB into NFD tokens and transferred them to the malicious contract.

Reward Claiming:

The attacker initiated the “0xe2f9d09c” function within the contract, triggering the reward contract function for the reward claim. This process was repeated with multiple new contracts.

Profit Realization:

After accumulating rewards, the attacker converted NFD tokens back to WBNB, amassing approximately 3202 WBNB. They repaid the flash loan of 250 WBNB to PancakeSwap, resulting in a net profit of 2952 WBNB.

The Aftermath of the Attack

The attacker executed this series of transactions three times, accumulating a total profit of 4481 WBNB, roughly valued at $1.25 million. This exploit had a catastrophic effect on the native token of New Free DAO, causing its value to plummet by 99%.

The ill-gotten gains were funneled into Tornado Cash, a privacy-focused Ethereum mixer.

Preventive Measures Against Flash Loan Attacks

The rise in flash loan attacks within the DeFi space has prompted the exploration of two promising solutions:

  1. Decentralized Pricing Oracles: Implementing decentralized pricing oracles can enhance DeFi platform security by providing reliable, tamper-resistant price data.
  2. Implementation of DeFi Security Platforms: Utilizing specialized DeFi security platforms can fortify projects against vulnerabilities, ensuring robust protection against malicious actors.


The New Free DAO flash loan attack on September 8, 2022, underscores the need for proactive security measures within the DeFi sector.

It serves as a stark reminder of the constant threat posed by malicious actors and emphasizes the importance of a detailed audit of smart contracts to safeguard DeFi projects from such exploits.

You may also like