Decentralized finance (DeFi) protocol New Free DAO reported a total loss of $1.25 million in instant loan attacks on September 8. After the attack, the protocol’s token lost 99 percent of its value.
Some DeFi protocols offer instant loans that allow users to borrow large amounts of assets without the need for upfront collateral, unlike regular loans. The only condition for these loans is that the loan amount must be paid back in a single transaction within the specified time. However, this feature is frequently abused by malicious people, who are getting lost by borrowing large amounts of assets.
Blockchain security firm Certik warned the community on Wednesday that there was a 99 percent price slide in the NFD token price post-instant loan. The cyber attacker allegedly added himself as a member with the “addMember()” function, using an unverified contract. Afterwards, he carried out three instant credit attacks with the help of the unconfirmed contract.
New Free Dao – $NFD was exploited via flash loan attack gaining the attacker 4481 WBNB (approx. ~$1.25M) causing the token to slip in price 99%.
The attacker has connections to Neorder – $N3DR attack from 4 months ago where they took 930 BNB at the time. pic.twitter.com/5Rcht3YiIK
— CertiK Alert (@CertiKAlert) September 8, 2022
The attacker first borrowed 250 WBNB worth $69,825 and converted them into NFD. Afterwards, the contract was used in several more attacks to get the airdrop rewards. All the airdrop rewards were subsequently converted to WBNB and the attacker made a profit of 4481 BNB.
The cyber attacker returned the borrowed 250 BNB of 4481 BNB. The remaining 2,000 BNB was converted to 550,000 BSC-USD. The attacker subsequently transferred 400 BNB to the popular coin mixing service Tornado Cash.