Vulnerabilities in flash loan systems cannot be detected by smart contract audits as they exploit the design of the system
Decentralised finance (DeFi) lending protocol Warp Finance has admitted to a flash loan attack which has resulted in the loss of as much as $8 million in digital assets. The latest attack follows a series of flash loans incidents that have exploited vulnerabilities in DeFi protocols. A total of four such attacks were reported in a single week last month.
A flash loan typically refers to the practice of borrowing loans in the form of crypto collateral and repaying it within the same transaction. Though flash loans are considered a significant tool for improving DeFi market efficiency, smart contract audits such as the one conducted for Warp by Hacken, do not protect against flash loans as they exploit the design of the system.
Launched in early November this year, Warp Finance is aimed at enabling users to deposit liquidity provider tokens from other protocols and receive stablecoin loans in exchange. The platform is facing a loss of somewhere between $1 million to $8 million due to the attack.
Acknowledging the incident, Warp tweeted “We are investigating irregular stablecoin loans taken out in the last hour. We recommend that you do not deposit anymore stablecoins until we have clarity on the irregularities”. One of the users soon responded to the notice claiming to have lost 40,000 DAI.
DeFi analysis portal DeFi Prime then took notice of the irregular transaction and announced the flash loan attack and the possible loss suffered by Warp on Twitter. White Hat hackers are presently investigating the spurious transactions that led to the incursion.
Emiliano Bonassi, the co-founder of the Marqet Exchange delved into the process behind the attack by saying, “This is the second attack which uses multiple flash liquidity, flash swaps via Uniswap and flash loans via dYdX”.
He further explained that the attackers asked for three wrapped Ether loans via flash swaps to three different pools on Uniswap and two more on the dYdX trading platform. These funds were used to mint WETH/DAI liquidity pool tokens which were then used as collateral on Warp Finance to clear out the USDC and DAI vaults.
Warp Finance appears to be the latest casualty in the list of several protocols including bZX, Balancer, Origin Protocol, Akropolis and Harvest Finance who have all been the victims of flash loan exploitation by crypto thieves.
The incident highlights the already pressing failure to completely understanding the risks behind flash loans and points out to the need for developing effective mitigation strategies to prevent such hacks in future.