Nefarious parties are using flashloans in conjunction with stablecoins to steal DeFi funds from platforms.
An Ethereum-based decentralized finance platform known as Cheese Bank recently suffered a $3.3 million loss — the product of a hack in early November. The thieves utilized a somewhat newly found weakness in the DeFi sector that harnesses flashloans. The Cheese Bank thieves stole the cheddar via dollar-pegged stablecoins USD Coin (USDC), Tether (USDT) and Dai. A number of other platforms have also suffered similar fates in recent days.
“In the string of attacks, we have seen malicious actors use flash loans to instantaneously borrow, swap, deposit and again borrow large numbers of tokens so they can artificially manipulate the price of a specific token on a single exchange (e.g., Uniswap, Curve),” blockchain security firm PeckShield said in a blog post on Monday after citing Value DeFi and Akropolis as two other recent similar DeFi hacks.
“This sequence is essentially the foot in the door, allowing the attacker to then exploit that exchange’s anomalous pricing.”
Value DeFi suffered a hack similar to Cheese Bank’s a few days ago. A sly character pilfered $6 million from the blockchain-based protocol, also harnessing USDC, USDT and Dai in conjunction with the effort.
Flash loans, a function of the DeFi ecosystem, seem to offer a hole of sorts through which funds can be stolen. Malicious parties also recently hacked Akropolis in another similar incident.
Referring to the Cheese Bank hack in early November, the PeckShield post detailed: “This particular hack drains $3.3 million of USDC/USDT/DAI from Cheese Bank by exploiting a bug in its way to measure asset price from an AMM-based oracle.” The nefarious parties stole the funds on Nov. 6.
The decentralized finance niche of the crypto sector has exploded in 2020, representing the latest intra-sector bubble, with Uniswap serving as a popular DeFi exchange. The sector cooled for a period amid Bitcoin’s soaring price, although DeFi hype appears to be picking up once again.