DeFi Protocol Impossible Finance Suffers $700k Heist

DeFi Protocol Impossible Finance Suffers $700k Heist

Decentralized finance (DeFi) protocol Impossible Finance (IF) has suffered a flash loan attack, losing $700k to the hackers. The IF team has made it clear that users’ funds are secure and it would fully compensate all those affected by the attack shortly, according to a blog post on June 22, 2021.

Impossible Finance (IF) Attacked 

Impossible Finance (IF) a decentralized finance protocol on Binance Smart Chain (BSC) is the latest DeFi protocol to suffer a flash loan attack. Though the project claims the hack is an isolated incident that poses no significant threat to the protocol’s well-being, the ugly scenario has nonetheless, made the hackers $700k richer.

As stated in its postmortem blog post, at the time of the attack, Impossible Finance had approximately $1.5 million in total value locked (TVL) split between its stablecoin pools and regular Uniswap invariant pools. 

However, the team says due to the slippage reduction functionality of the protocol’s custom-built “xybk formula,” the attackers were not able to steal the funds in the Impossible Finance stablecoin pools. As such, they were able to drain only $450k worth of BNB and BUSD, plus another $250k in IF governance token.

The team explained:

“The hacker uses a custom token call to swap at the pair level after getAmountsOut contract performs the x*y=k check. After which, _swap in the router calls cheapSwap which does not have x*y=k checks. The Uniswap invariant is supposed to quote a higher price for sequential swaps but with the custom token, the adversary was able to get 2 trades at the same price without slippage. The hacker then proceeded to borrow capital with a flash loan to leverage this weakness and drain our pools.” 

Compensation Plan

Importantly, IF has made it clear that all victims of this flash loan attack will be fully reimbursed and it’s working round the clock to fix the loophole exploited by the bad actors.

“All users who deposited into liquidity pools prior to the attack will be 100 percent compensated. We are confident for a full recovery and have plans to emerge stronger from this.”

While hacks and flash loan attacks have become synonymous with DeFi protocols, BSC-based platforms are increasingly being targeted these days and observers have even accused some of these projects of orchestrating the attacks by themselves.

This year alone, numerous BSC-based DeFi protocols, including bEarn, PancakeBunny, Bogged Finance, and Spartan Protocol, amongst others,  have “bent the knee” to flash loan attacks, prompting investors to urge the Binance team to add a rollback feature to the BSC platform.