The popularity of flash loans has grown enormously recently. But not only conscientious investors, also black sheep take advantage of the concept. This is what the still relatively young DeFi platform Warp Finance has now had to learn.
According to its latest tweets, the DeFi lending protocol Warp Finance has suffered a flash loan attack. According to this, the loss of Bitcoin Trader digital assets could amount to up to 8 million US dollars. Warp Finance is a new DeFi platform that launched in early November. It allows its users to deposit Liquidity Provider (LP) tokens from other protocols and receive stablecoin credits in return.
In a Twitter post on Friday morning, Warp Finance writes:
The attacker was able to remove $7.7m of Stablecoins. Our team has a plan to recover approximately USD 5.5 million still in the security vault. Once successfully restored, these will be distributed to users who have suffered a loss.
The current attack follows a series of flash loans that exploited vulnerabilities in the Warp Finance protocol. The irregularities in the current case have also been pointed out by DeFi analysis portal DeFi Prime, which has linked to the suspicious transaction. For the time being, users should not place any more Stablecoins in their custody accounts, Warp Finance writes further. They are working at full speed to clear up the incident. For this purpose, white-hat hackers are investigating the suspicious transaction that constituted the attack.
The co-founder of Marqet Exchange, Emiliano Bonassi, has also analysed the incident. He concludes that the attacker applied for three Ether loans (wrapped loans) via flash swaps on three different pools on Uniswap and two more on the dYdX trading platform. The funds were then used to mint WETH/DAI liquidity pool (LP) tokens. The attacker then used these in turn as collateral on Warp Finance to lighten the USDC and DAI vaults by a significant amount.
This is a typical approach used by attackers to exploit vulnerabilities in DeFi protocols via a flash loan. The current example shows that smart contract checks, such as the one carried out by hackers for Warp, do not necessarily protect against them, as they use the architecture of the system to their advantage.
The dangers posed by flash loans are not new since the recent attacks, which include bZX, Balancer, Origin Protocol, Acropolis and Harvest Finance before Warp Finance. A possible solution could be, for example, to find dynamically adjustable transaction limits in case of doubt. This would at least limit the damage.