September 20th, 2022
In September 2022, DeFi project New Free DAO was the victim of a flash loan attack. The attacker took advantage of weak reward calculation code to drain 4,481 WBNB worth approximately $1.25 million from the contract.
New Free DAO is a DeFi project hosted on Binance Smart Chain (BSC). Unlike many smart contracts in the DeFi space, the New Free DAO contract is not open source. This makes the contract more difficult to analyze, which can hinder both security researchers and attackers. However, as demonstrated by the attack, this provides no real security against a determined attacker.
The issue with the New Free DAO contract is that the calculation of rewards is based solely on the balance that an account has deposited into the contract. A user earns rewards based on the amount of time that value has been deposited and based on the size of the deposit. In both cases, the deposited amount is multiplied by a set value to determine the reward amount.
This design leaves the contract vulnerable to flash loan attacks. An attacker could make a massive deposit funded by a flash loan, extract rewards based on that balance, and then withdraw the deposit. Repeating this process multiple times allows the attacker to completely drain the balance of the contract.
The target of the New Free DAO hack was an unverified contract, meaning that it was posted to the blockchain without being linked to the corresponding source code on GitHub. While the contract code can be disassembled and read, it is more difficult and the use of unverified code likely indicates that the contract did not undergo a security audit that would have identified the issue.
Flash loan attacks exploiting insecure price oracles or reward calculations are nothing new in the DeFi space. Before launching any contract containing this functionality, it is best to undergo a security audit to ensure that the mechanism is not vulnerable to attack. To learn more about how to prevent flash loan attacks, reach out to Halborn’s Web3 security experts at firstname.lastname@example.org.