Flash Loan Exploit Drains Liquidity From Nirvana Finance

  • Hacker used a flash loan attack to manipulate and drain Nirvana’s liquidity pools, causing the protocol to lose $3.49 million in digital assets.
  • Shortly after the attack, which used a flash loan from Solend, both Nirvana’s native token ANA and NIRV stablecoin fell in price by over 80%.
hack

Shutterstock

Solana-based decentralized finance (DeFi) yield protocol Nirvana Finance has fallen victim to an exploit, which saw the project lose $3.5 million from its treasury, the team behind the protocol said via Twitter on 28 July.

According to the announcement, a hacker used a flash loan — a way to borrow large amount of funds at low cost, given that the loan is repaid in the same network block — from Solend to manipulate and drain Nirvana’s liquidity pools. Through this exploit, the attacker was able to steal $3.49 million worth of digital assets from the project’s treasury, which were then bridged to Ethereum through Wormhole and converted into DAI tokens. DeFi lending app Solend said it was aware of the exploit:

Blockchain data shows that the attacker minted $10 million worth of ANA tokens, which he then used to inflate the price of the token by manipulating Nirvana’s oracle feed. The tokens were then swapped for $13.49 million USDT, with $10 million being used to repay the initial loan, and $3.49 million going to this address.

Since the incident, the protocol’s native ANA token fell by over 85% in price, while the project’s NIRV stablecoin lost 90% of its U.S. dollar peg. Nirvana’s team is still investigating the attack, and has warned users to be “very careful with trading NIRV & ANA, as they currently have no guaranteed value”.

Flash loan attacks have become a popular way for hackers to exploit DeFi platforms and systems. Back in April, an attacker used flash loan to pass two governance proposals on Beanstalk which lost the protocol $182 million of total value locked. The same month, another attacker used a similar exploit to Nirvana’s to steal $13.4 million from Deus Finance.

Discussion
Related Coverage
KuCoin Twitter Account Hacked, Exchange to Reimburse Losses
  • The Twitter account of the crypto exchange was compromised for roughly 45 minutes on Monday, resulting in 22 transactions connected to the hack.
  • KuCoin has calculated that the total asset losses were 22,638 USDT, and noted that it will fully reimburse users affected in the incident.
April 24, 2023, 8:59 AM
kucoin

Shutterstock

Exploiter Returns 90% of “Recoverable Funds” to Euler Finance
  • The remaining $31 million worth of crypto assets were returned late on Monday, marking a successful end to Euler Finance’s recovery efforts.
  • The total value of assets returned is a little over $177 million, which is 90% of the “recoverable funds” after adjusting for the 10% bounty previously offered.
Hacker Steals $9M from SafeMoon
  • SafeMoon said that only its SFM:BNB liquidity pool (LP) was affected, and that it had located the suspected exploit, and patched the vulnerability.
  • The bug was allegedly introduced with the latest SafeMoon upgrade, and allowed the attacker to burn the majority of SFM in the pool, artificially inflating its price.