QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$251 000 USD
FEBRUARY 2022
GLOBAL
FLURRY FINANCE
DESCRIPTION OF EVENTS
"Flurry Finance is the future of yield farming. The Flurry Protocol is a yield aggregator that provides earn, trade, and spend with stability, flexibility, and ease!" "No lockup periods, nor technical barriers, it offers a better user experience on DeFi that allows you to use your tokens as a medium of exchange while earning yield." "Start your passive income today with rhoTokens."
"FLURRY is the governance token of the Flurry protocol, available on swaps and exchanges." "By holding FLURRY, you can vote on various parameters in determining the development of Flurry protocol such as fee percentages, whitelisting or blacklisting yield farming DeFi protocols, or even proposing new strategies in the yield farming process. It is like stocks, except it is in token form on the decentralized network."
"Yield aggregators are tapped into Ethereum-based and Binance Smart Chain (BSC) based products, while FLURRY is targeting to work cross-chain in order to look for the best yield after taking the transaction cost into consideration." "The price of rhoToken is pegged 1:1 to the underlying stablecoin. As a result, rhoTokens can be spent the same way as the underlying stablecoin. Users do not have to redeem their rhoTokens before they use their fund. In other words, it is more flexible and user oriented, as your fund won’t be locked-up." "The whole yield generation process is fully automated and transparent to users. Flurry DApp gives a clear picture of how and how much interest is earned once you have made a deposit. All users have to do is to hold the rhoTokens and the wallet balance will grow to reflect the interest earned."
"rhoToken is a cross-chain token which it pegged 1:1 to its underlying stablecoin. The Flurry protocol automates the yield farming process with rhoTokens, sparing users all the tedious task of switching in and out of DeFi products on different chains to generate yield with your deposit. In return, you will get rhotokens (rhoUSDC, rhoUSDT, rhoBUSD) which you can hodl, trade and spend as a medium of exchange while earning an interest automatically - something that stablecoin couldn’t do."
"[The Flurry Finance] team [is] composed of graduates from Cornell University, Stanford University and Imperial College London, and pedigrees from JP Morgan, Barclays Capital, KBC Financial Products, Daiwa Capital Markets and Societe Generale."
"Flurry Finance’s Vault contract was hit by a flash loan attack, resulting in the theft of approximately $293,000 worth of assets in the Vault contract." "The attack took place on Tuesday (February 22) when a malicious hacker deployed an exploit that enabled the increase of a multiplier influencing the balance of rhoToken, a deposit token used by Flurry Finance for yield aggregation."
"CertiK said the attacker unleashed a malicious token contract, created a PancakeSwap pair for the token and Binance USD (BUSD), then took out a flash loan from Rabbit Finance’s bank contract."
"Per the report, the attacker deployed a malicious contract in the protocol and further created a PancakeSwap pair for the RhoToken against Binance stablecoin (BUSD)."
"The creation of the malicious contract code dubbed “FlurryRebaseUpkeep.performUpkeep()” rebases all update multipliers for RhoTokens." "After a while, the attacker returned the flash loan. Further investigations show that the attacker conducted another transaction, but this time, the attacker deposited tokens using a lower multiplier and subsequently updated the multiplier to a higher value."
"The hacker later made withdrawals with the higher multiplier." "Since the multiplier is one of the key reasons behind the spike in RhoToken balance, the attacker also recorded an increase in their own balance." "Based on this, they were able to withdraw more than what they deserved from the pool and the process was repeated several times, which resulted in more than $290,000 in losses." "The illicit update was executed in the form of a flash loan and all tokens borrowed from the bank contract were not returned, and the low balance subsequently resulted in a low multiplier."
"Triggering the StrategyLiquidate function, which “decoded input data as the LP token address created in the previous step”, enabled execution of malicious code that rebased all vaults and update multipliers for rhoTokens."
“Because the rebasing was triggered in the process of a flashloan and tokens borrowed from the Bank contract were not returned yet, the low balance in the Bank contract led to a low multiplier,” explained CertiK.
"After returning the flash loan and concluding the preparation transaction the attacker proceeded to deposit tokens with the low multiplier, updated the multiplier to a higher value, then withdrew tokens with the high multiplier."
CertiK, which audits smart contracts for Flurry Finance, has emphasized that “the exploit was caused by external dependencies”.
“Our team has got to the bottom of the issue, and [is] currently upgrading all the smart contracts on rhoTokens in order to avoid the exploitation from happening again.”
"Our team is doing our best to investigate the exploitation. As a precautionary measure, we have paused all smart contracts of rhoTokens including those on #BSC and #Polygon, which means converting/ redeeming rhoTokens,"
"It is worth noting that the attackers only exploited funds in the FinanceRabbit Strategy. In an effort to prevent things from escalating, Flurry Finance announced that it has suspended all smart contract activities for RhoTokens on all networks."
"Flurry Finance told The Daily Swig on March 1: “Our team is in full swing to redeploy all smart contracts on the FLURRY protocol after a full sweep of security checks again. We will issue the hack report/ compensation plan later this week. [We] hope it will give you more idea on the hack, and [the] other precautionary [measures taken].”"
"We have been working day and night, not only to tighten the security system of the Flurry Protocol (FlurryPro), as well as to upgrade all relavant rhoToken contracts in preparation for redeployment to compensate the losses induced by this unfortunate incident to all affected users."
"As mentioned in previous tweets, we will compensate all losses induced by this incident to our users. However, since it will involve the redeployment of rhoTokens, it will take us some time to restore the rhotokens balance for all rhoToken hodlers." "Our team Flurry Finance would like to thank you for your patience and support throughout the unfortunate incident in which the exploitation has cost the loss of a total sum of USD 250,668.11 on the Flurry Protocol (FlurryPro)."
"The redeployment will be ready by the week of 21 March." "Our team will create a new rhoUSDT & rhoBUSD contract on BNB Chain, which remains to be pegged 1:1 to its underlying stablecoins. All affected users’ balances will be restored automatically once the new smart contract is being deployed." "Users will only have to add the newly deployed rhoUSDT or rhoBUSD in your wallet to see the token balance."
Flurry Finance is a yield farming protocol which offers a stablecoin with interest. An attacker was able to exploit the smart contract hot wallet and removed between $251,000 and $293,000 USD worth of funds by increasing their token balance using a Flash loan. The protocol has vowed to reimburse all affected users, and started to put together a description of what will be reimbursed, although this process is still underway.
SlowMist Hacked - SlowMist Zone (Jun 26)
Flurry | The Future of Yield Farming (Mar 8)
Flurry Finance Explains - Future of Yield Farming - YouTube (Mar 8)
Introducing Flurry Finance - Flurry Finance (Mar 9)
Flurry Finance heist nets crypto thieves $295k | The Daily Swig (Mar 9)
@FlurryFi Twitter (Mar 9)
@FlurryFi Twitter (Mar 9)
Post Incident Security And Compensation Plan (Mar 9)
Over $290,000 Stolen From DeFi Protocol Flurry Finance (Mar 9)
Flurry Finance Hacked: Reportedly $293K Lost | Biden Slaps Russia with Sanctions 23/02/22 - YouTube (Mar 9)
Flurry Finance Hacked: Reportedly $293K Lost | Coinmonks News #93 Crypto News With Coinmonks podcast (Mar 9)
Over $290,000 Stolen From DeFi Protocol Flurry Finance - The Crypto Basic (Mar 9)
Flurry Finance Hacked: Reportedly $293K Lost | CoinCodeCap (Mar 9)
@FlurryFi Twitter (Mar 9)
@CertiKCommunity Twitter (Mar 9)
https://bscscan.com/address/0x0f3c0c6277ba049b6c3f4f3e71d677b923298b35 (Mar 9)
https://bscscan.com/address/0xb7a740d67c78bbb81741ea588db99fbb1c22dfb7 (Mar 9)
https://bscscan.com/address/0xca9596e8936aa8e902ad7ac4bb1d76fbc95e88bb (Mar 9)
@FlurryFi Twitter (Mar 9)
@FlurryFi Twitter (Mar 9)
Incident Report On 22 Feb 2022 (Mar 9)
@FlurryFi Twitter (Mar 9)
