Flurry Finance heist nets crypto thieves $295k – The Daily Swig

Adam Bannister 25 February 2022 at 15:20 UTC

Theft topped out at six figures after DeFi platform blocked ‘token balance multiplier’ exploit

Flurry Finance heist nets crypto thieves $295k

Around $295,000 has been drained from the vaults of decentralized finance (DeFi) platform Flurry Finance following a hack on its smart contracts.

The attack took place on Tuesday (February 22) when a malicious hacker deployed an exploit that enabled the increase of a multiplier influencing the balance of rhoToken, a deposit token used by Flurry Finance for yield aggregation.

The upshot was an increase in the attackers’ token balance and the illicit withdrawal of additional funds, according to blockchain security company CertiK.

The attacker managed to repeat the process several times before Flurry Finance blocked further withdrawals by pausing smart contracts running on Polygon and the Binance Smart Chain (BSC).

Flash loan

CertiK said the attacker unleashed a malicious token contract, created a PancakeSwap pair for the token and Binance USD (BUSD), then took out a flash loan from Rabbit Finance’s bank contract.

Triggering the StrategyLiquidate function, which “decoded input data as the LP token address created in the previous step”, enabled execution of malicious code that rebased all vaults and update multipliers for rhoTokens.

YOU MIGHT ALSO LIKE Crypto firm MakerDAO offers record $10m in newly launched bug bounty program

“Because the rebasing was triggered in the process of a flashloan and tokens borrowed from the Bank contract were not returned yet, the low balance in the Bank contract led to a low multiplier,” explained CertiK.

After returning the flash loan and concluding the preparation transaction the attacker proceeded to deposit tokens with the low multiplier, updated the multiplier to a higher value, then withdrew tokens with the high multiplier.

CertiK, which audits smart contracts for Flurry Finance, has emphasized that “the exploit was caused by external dependencies”.

Rebasing on hold

In a community alert posted on Twitter yesterday (February 25), Flurry Finance said:

“Our team has got to the bottom of the issue, and [is] currently upgrading all the smart contracts on rhoTokens in order to avoid the exploitation from happening again.

“However, during the upgrade, the rebasing feature and all rhoToken services will remain suspended until further notice. We apologise for the inconvenience.”

Read more of the latest cryptocurrency security news

Flurry Finance added that it intended to release a post-incident report “along with plans of resolution and compensation” next week.

The attacker’s ill-gotten gains are relatively minor in the context of cryptocurrency hacks that regularly lead to eye-watering seven- or even eight-figure losses.

For instance, money-laundering charges recently brought over the Bitfinex hack revealed that the attackers’ $70 million profits had since appreciated to $4.5 billion, while in December crypto-trading platform BitMart reported a $150 million theft.

RECOMMENDED Jaw-dropping Coinbase security bug allowed users to steal unlimited cryptocurrency