The latest intrusion into DeFi involves fast loans… again.
The DeFi Warp Finance loan protocol has reportedly suffered a rapid loan attack that has resulted in the loss of up to $8 million in digital assets.
Reports indicate that one attacker has taken between $1 million, up to $8 million according to DeFi Prime. The losses follow a series of flash loans that have exploited vulnerabilities in the Warp Finance protocol.
Warp Finance is a new DeFi platform announced at the beginning of November which allows users to deposit liquidity provider (LP) tokens from other protocols and receive Bitcoin Benefit loans in exchange.
Warp Finance’s Twitter feed did not provide any other details at the time of writing this article apart from this:
„We are investigating irregular stablecoin loans taken in the last hour, we recommend that you do not deposit any more stablecoins until we are clear about the irregularities,“
A user [@Swind11001] responded to the notification by stating that he had lost 40,000 IADs;
„Please help me. This is the first time I have used the … I have invested 40,000 Dai in total. This money is all my savings. I cannot live without it.“
The DeFi Prime analysis portal has highlighted the suspicious transaction in question;
White hat hackers are investigating the fake transactions that led to the raid. Marqet Exchange co-founder Emiliano Bonassi has been digging deeper into what happened by stating;
„This is the second attack using multiple flash liquidity, flash sawps through Uniswap and flash loans through dYdX,“
He added that the attacker requested three loans of wrapped Ether through flash swaps from three different pools in Uniswap and two more in the dYdX trading platform. The funds were then used to coin WETH/DAI liquidity pool (LP) tokens that were used as collateral at Warp Finance to clean out its USDC and DAI vaults.
An urgent loan is when the collateral is borrowed and returned in the same transaction. Smart contract audits, such as the one conducted by Hacken for Warp, do not necessarily protect against them, as they exploit the design of the system.
The attack vector has been the weapon of choice for the DeFi protocols‘ crypt thieves this year, and several protocols such as bZX, Balancer, Origin Protocol, Akropolis and Harvest Finance have fallen victim. Warp Finance seems to be the latest victim.