Nirvana Finance Suffers a $3.49 Million Flash Loan Attack

^(Source)

Evening

So we have got another exploit at our hands, as Solana based defi protocol Nirvana Finance suffers $3.5 million loss due to a flash loan attack two days ago. A similar flash loan attack also happened on another Solana based defi protocol Crema Finance about a month ago.

How it happened? Nirvana Finance exploit presents a classic example of flash loan attack. The exploiter took a $10 million USDC loan from lending protocol Solend and used the funds to mint Nirvana's native ANA tokens. The hacker then sold those ANA tokens for for $13.49 million USDT, and returned $10 million USDC loan. Thus the whole activity yielded $3.49 million gains for the hacker. Finally the hacker swapped $3.49 million worth USDT to DAI in his Ethereum wallet.

Apparently, the flash loan attack was an exploitation of Nirvana's protocol with Solend being the flash loan provider only had nothing to do with it. Nirvana Finance already accepted the discrepancy on their part. The hacker uploaded a malicious program on chain to artificially inflate ANA price from $8 to $24, so that he could latter dump those tokens immediately at higher price and bag the profit.

What we know so far:

Nirvana has been maliciously hacked and the reserves have been stolen.

A flashloan attack was used to steal money. This is not the fault of Solend, but an exploit of Nirvana's program.https://t.co/NkmtHAbAAa

— Nirvana Finance (@nirvana_fi) July 28, 2022

What are flash loans and flash loan attacks? Flash loans are loans without collateral that are settled in just one transaction only. Meaning the borrower loans the amount and pay it back immediately in a single transaction. The real utility of flash lies in arbitraging. e.g. if multiple markets are valuing an asset differently, traders can use flash loans to buy and sell the token on those markets to bag arbitrage profit.*

But sometimes hackers succeed in creating fake arbitrage opportunities by exploiting vulnerable smart contracts. The exploiter gets the tokens at low price using flash loan, sells them at an artificial higher price to the exploited contract, returns the flash loan and bags heavy profits.

Future of Nirvana Finance

Following the exploit the price of ANA token dipped sharply from $8.93 to $1.03 and is currently at $0.93. Nirvana's stable coin NIRV also lost its peg and is currently trading at $0.12.

Nirvana Finance has already offered the hacker $300K in bug bounty for the return of stolen funds. But two days have passed since the hack but no reply from the hacker. So far Nirvana Finance haven't been able to recover, as its stable coin NIRV continues to trade way below the peg. It seems Nirvana team have also up on ANA and NIRV token as they advised public to be careful while trading those tokens.

Please be advised:
ANA has lost its collateral, and NIRV has lost its peg. Until the thief restores funds, these tokens will not have exchange value.
Be very careful with trading NIRV & ANA, as they currently have no guaranteed value.

— Nirvana Finance (@nirvana_fi) July 28, 2022

As of now it safe to say that Nirvana Finance is talking its last breaths. A sad moment for all the NRA and NIRV token holders and a shame for whole defi world.

Posted Using LeoFinance ^Beta