Flash loan attacks still very much active as another DeFi project losses $500,000
While one may have thought that hackers were done with flash loan attacks or DeFi projects have moved to evaluate their codebases, it appears the opposite is the case, and malicious attacks are still very much active in the scenes.
Binance Smart Chain project “Impossible Finance” is the latest DeFi protocol to suffer a flash loan exploit. According to posts on the multi-chain incubator project’s social media feeds on Monday, Impossible Finance lost around 230 ETH in a flash loan attack on its liquidity pool.
Hi Impossible Community, earlier today there was a flash loan attack on our IF Swap. User’s funds are safe and remain our number one priority.
— Impossible Finance (@impossiblefi) June 21, 2021
Thank you for your support and we are confident for a full recovery from this isolated incident.
A copycat attacker?
Mudit Gupta, a core developer with SushiSwap, explained that the exploit appears to be similar to that of BurgerSwap in late May. As reported by BTC PEERS, the attacker managed to steal over $7 million from the protocol back then.
Impossible finance got exploited today for $500k.https://t.co/mzCPRluOjn
— Mudit Gupta (@Mudit__Gupta) June 21, 2021
Same exploit as the burger swap one:https://t.co/3PkVtn7Hi7
If the original project gets hacked, why don't the forks react?
Meanwhile, security firm WatchPug revealed that the hacker executed several swaps in a row within the same price range. This vulnerability in the pool’s smart contract allowed the attacker to drain the liquidity pool, an act that would have otherwise been impossible due to slippage.
At 4 AM UTC, Jun 21, $0.5M was stolen from Impossible Finance.
— WatchPug (@WatchPug_) June 21, 2021
The hacker made multiple swaps in a row at about the same price and drained the LP, which is usually impossible.
How does Impossible Finance make the impossible possible?
Read our analysis:https://t.co/3r0p1dOFWz
As expected, the price of the project’s token crashed following the news. However, the Impossible Finance team said on Telegram that an insurance fund has been earmarked to compensate liquidity providers.
We have also prepared an insurance fund to ensure that your funds are safe and remain our number one priority. All users funds who deposited into liquidity pools (“LPs”) PRIOR to the attack will be 100% compensated.