New Free DAO ($NFD) Losses $1.25 Million via Flash Loan Attack

On September 8, 2022, 02.09:25 AM UTC, Certik’s security infrastructure, Skynet, identified a flash loan attack on New Free DAO ($NFD) a DeFi protocol on the BSC chain. NFD suffered a flash loan attack of about $1.25M (4,481 BNB) although the hackers were only able to cash out 2,000 BNB ($556,556) leaving 2,481 BNB in the attacker’s wallet.

New Free DAO Hacked

After the hack, the $NFD token price saw a sharp decline, falling by 99%, with the attacker dumping a total of 6,838,792 NFD tokens. CertiK Skynet believes that this attack was orchestrated by the same group of hackers that stole 930 BNB from Neorder (N3DR) about four months ago.

Several DeFi protocols offer flash loans, which let users borrow substantial amounts of assets without making prior collateral deposits, unlike regular loans. The sole requirement is that the loan must be paid back in one transaction within a predetermined time frame. However, hackers frequently make use of this feature to amass significant assets to carry out expensive attacks against DeFi protocols.

Flash loan attacks are not new to the DeFi space, several projects have been victims of the attack. They work by essentially manipulating prices after the attacker takes out an uncollateralized loan. They are relatively easier to execute, hence their popularity.

 CertiK  alerted the crypto community about the 99% price slippage of the NFD token, further explaining that the attacker reportedly deployed an unverified contract and called the function “addMember()” to add itself as a member. The attacker later executed three flash loan attacks with the assistance of the unverified contract.

The Attack

The attacker first borrowed 250 Wrapped BNB (wBNB) worth $69,825 through the flash loan platform and swapped all of them for the native token NFD. The contract was then used to create multiple attack contracts to claim airdrop rewards multiple times. The attacker then swapped all the airdrop rewards for wBNB stealing a total of 4481 BNB.

The attacker then returned the borrowed loan of 250 BNB and swapped 2,000 BNB for 556,556 BSC-USD, the Binance-Peg token of the blockchain. After a while, the attacker moved 400 BNB to Tornado Cash.

Analysts at Certik, have noted that the vulnerability lay in an unverified rewarding contract deployed by the New Free DAO project. However, “because the rewarding contract is unverified, we do not know the root cause.”

Blockchain audit company, Beosin also warned about another vulnerability in the NFD protocol that could be open to another flash loan attack. The security firm said that the price could be manipulated since they are calculated “using the balance of USDT in the pair, so it may lead to flash loan attack if exploited.”

Despite significant security measures put in place by crypto and DeFi protocols, these projects continue to get exploited easily by hackers.

 In June 2022, DeFi protocol Inverse Finance suffered a flash loan hack which led to the loss of over $1.2 million worth of cryptocurrencies. On July 2, 2022, hackers targeted the Solana-based lending and borrowing platform Crema Finance in another flash loan attack and stole $8,782,446 from multiple liquidity pools. 

On September 7, 2022, reports emerged that Avalanche-based Nereus Finance has also suffered a flash loan attack, losing $371k to the bad actors.