An attacker stole $1.25 million worth of cryptocurrency from newly established decentralized finance protocol New Free DAO in a flash loan attack on Thursday. The thief has cashed out nearly half of the stolen funds so far.
Flash loans are fast, uncollateralized cryptocurrency loans, where a user can borrow and repay funds within one transaction. A DAO is a decentralized autonomous organization that uses blockchain to facilitate self-enforcing rules or protocols to carry out transactions.
The Thursday attack resulted in a sharp drop in the platform’s native token $NFD, whose value slumped more than 99% compared to a day ago. Its value had not recovered on Friday at the time of writing this story.
New Free DAO was established less than two weeks ago but had accumulated enough money to permit huge losses once exploited, says Ronghui Gu, CEO and co-founder of blockchain security company CertiK.
The attacker exploited a vulnerability on an unverified rewards smart contract on the BSC blockchain to carry out the attack, CertiK says in a blog post detailing the incident. The attacker first deployed a malicious contract, made themselves a member of the contract and executed functions that resulted in the contract erroneously releasing funds that did not belong to the attacker.
The attacker currently holds $1.13 million worth of cryptocurrency in their wallet and moved $111,544 to sanctioned cryptocurrency mixer Tornado Cash.
The blockchain security company could not ascertain the attacker’s identity but said that the individual was also behind another malicious flash loan exploit on $N3DR, which resulted in the loss of cryptocurrency worth $297,000 at the time.