“The attack caused Warp Finance to lose about $7.8 million, but the attacker’s method was not perfect, and more than 94,000 LP tokens are still locked in the mortgage vault,” said the security staff of the blockchain security company PeckShield.

Through tracking and analysis, PeckShield found that the attacker lent 4 flash loans from dYdX and Uniswap V2, totaling 2.9 million DAI and 344,800 WETH.

Subsequently, the attacker mortgaged 2.9 million DAI and 4519 WETH in Uniswap V2 to provide liquidity, minted 94,349 LP tokens, and converted the minted tokens into WarpVaultLP as the attacker's pledge certificate. It is worth noting that the price of LP tokens is 58.8 USDC at this time;

Next, the attacker converted 341,000 WETH into 47.6 million DAI in Uniswap V2, thereby raising the price of DAI, doubling the price of LP tokens to 135.5 USDC;

By raising the price of LP tokens and resetting the price of the price feed oracle certificate, it is beneficial for the attacker to further lend 3.86 million DAI and 3.9 million USDC (about 7.8 million US dollars in total) in Warp Finance;

secondary title

Flash loan attacks are frequent, why can hackers succeed?

The relevant person in charge of PeckShield explained: "The flash loan on the blockchain is a loan method that can be borrowed without collateral, but the lender must repay the loan within the same block, otherwise the transaction will fail. Therefore, flash loans are basically zero-cost and zero-risk for borrowing platforms. Hackers can use this loan method to lend a large amount of funds at a small cost, and then use the funds to cause price fluctuations in some digital assets , and profit from it.”

Due to frequent lightning loan attacks, this function has been criticized and is considered to be a cash machine for hackers; but there are also views that it exposes the loopholes of the protocol earlier, which is conducive to improving the security of the protocol.

The relevant person in charge of PeckShield suggested: "According to the characteristics of flash loans, loans and withdrawals must be completed in one block, so for DeFi protocol developers, a more secure design is not allowed to be in the same block. deposits and withdrawals, so that hackers trying to take advantage of flash loans have nothing to do.”

As an emerging lending model, flash loans are extremely attractive in terms of innovation, but it should not be a sickle for hackers. DeFi protocol developers should check their codes after the attack occurs. PeckShield reminds that if you don’t know about this, you should find a professional auditing agency for auditing and research to prevent problems before they happen.