Popular decentralized finance (DeFi) aggregator Flurry Finance is the latest to be attacked by malefactors.
According to multiple reports, over $290,000 was stolen from Flurry Finance vault contracts, prompting the project to halt all smart contracts of rhoTokens on its platform as well as on Polygon and Binance Smart Chain (BSC).
Our team is doing our best to investigate the exploitation. As a precautionary measure, we have paused all smart contracts of rhoTokens including those on #BSC and #Polygon, which means converting/ redeeming rhoTokens,
— Flurry Finance (@FlurryFi) February 23, 2022
Per the report, the attacker deployed a malicious contract in the protocol and further created a PancakeSwap pair for the RhoToken against Binance stablecoin (BUSD).
The creation of the malicious contract code dubbed “FlurryRebaseUpkeep.performUpkeep()” rebases all update multipliers for RhoTokens.
The illicit update was executed in the form of a flash loan and all tokens borrowed from the bank contract were not returned, and the low balance subsequently resulted in a low multiplier.
After a while, the attacker returned the flash loan. Further investigations show that the attacker conducted another transaction, but this time, the attacker deposited tokens using a lower multiplier and subsequently updated the multiplier to a higher value.
The hacker later made withdrawals with the higher multiplier.
Since the multiplier is one of the key reasons behind the spike in RhoToken balance, the attacker also recorded an increase in their own balance.
Based on this, they were able to withdraw more than what they deserved from the pool and the process was repeated several times, which resulted in more than $290,000 in losses.
It is worth noting that the attackers only exploited funds in the FinanceRabbit Strategy. In an effort to prevent things from escalating, Flurry Finance announced that it has suspended all smart contract activities for RhoTokens on all networks.
It also noted that investigations are still ongoing and will release an update at the appropriate time.
Rise in Crypto Theft on DeFi Platforms
Hackers are always on the rampage, exploiting various loopholes found in various decentralized finance projects.
On a yearly basis, these malefactors steal millions of dollars from not only vulnerable projects but also from investors.
Earlier this month, we reported that attackers stole 4,828 Binance Coins (BNB) from Titano Finance, in an operation many suspected of being a rug pull.