Impossible Finance, a Binance Smart Chain (BSC) project, suffered a massive flash loan attack and becomes the latest victim of decentralized finance (DeFi) exploits.
The attack on the protocol happened on June 21, with the still-to-be-identified perpetrators able to drain 229.84 ethereum valued at $500,000 at the time of the incident.
Flash loan attacks are now the norm for exploiting DeFi projects. In the process, hackers take an uncollateralized loan from a lending protocol. With the use of some technical maneuvers, attackers manipulate the market in their favor.
Over the past months, BSC has had its share of this kind of attack resulting in a multitude of projects losing millions of funds.
How the attack happened
Hackers used a fake token to launch a flash loan attack and exhaust the liquidity pool of the protocol. WatchPug, an auditing service provider, explained that there were consecutive swaps at about the same price involved in the attack. This, according to WatchPug, is usually impossible.
There was a vulnerability in the pool’s smart contract that allowed multiple swaps of the protocol’s native IF token to Binance USD stablecoin and then to Binance Coin, the native coin of Binance Chain.
SushiSwap core developer Mudit Gupta said the design of the attack wasn’t that innovative and took advantage of a similar vulnerability that was exploited in attacking BurgerSwap protocol which lost $7.2 million.
Dealing with the aftermath
In its official announcement channel, Impossible Finance published a report on the incident while also saying it had prepared an insurance fund.
The project’s team said all user funds deposited into liquidity pools before the attack will be compensated 100%. Moreover, in the aftermath of the incident, liquidity pool rewards are to cease and users have been advised not to add or withdraw funds for IF/BUSD and IF/BNB pairs.
Image courtesy of Cointelegraph News/YouTube