$7 800 000 USD
DESCRIPTION OF EVENTS
"Warp Finance is an open finance platform that aims to extend the capabilities of liquidity provision, enabling new streams of yield." "The Warp Protocol’s primary objective is to create a novel use case for unused Liquidity Provider (LP) tokens by allowing them to be used as collateral for lending. Users will be able to deposit LP tokens onto the Warp platform and receive stablecoin loans in exchange, while their LP tokens continue to earn from Uniswap’s rewards." "The project was launched in October 2020."
“We are investigating suspicious loans made in the last hour and recommend not depositing stablecoins into the account until we have clarified all the details.” "Someone used multiple transactions within the flash loan scheme to drain USDC and DAI vaults of the protocol."
"The hacker utilized a complex scheme to retrieve a value much higher than the collateral limit, making the lender lose money." "On December 17th, 2020 the Warp Finance protocol experienced a flash loan exploit due to a gameable oracle that resulted in the user being able to withdraw a $7.76m loan. Due to the nature of the exploit, the collateral value is worth less than the loan, which is why a standard liquidation was unable to take place. The loan collateral has since been secured by the warp finance team and will allow us to return approximately 75% of users’ deposited funds, thanks to support from the Ethereum and white hat community."
"Using this technique, the attacker was able to remove $7.8m of DAI, aided by the fact that Warp.finance relied on vulnerable Uniswap LP token prices. This allowed them to borrow more than their collateral, and resulted in a loss of stablecoin lender funds."
"According to popular crypto-twitter blogger Nick Chong, the attacker got only $1 million in ETH. The rest had to be spent on commissions."
"Warp said it was able to recover the liquidity provider tokens that represented the collateral for $5.85 million. “We successfully recovered the exploiter’s loan collateral in the form of ETH/DAI-LP tokens. The value is approximately $5.85m, which is ~75% of the $7.76m lost funds,” it said in a statement."
"The project said it would distribute the recovered funds to affected users in the next 24 hours. The amount would be proportional to 75% of the liquidity token amount deposited by users, as the $7.7 million in stablecoins (held by the hacker) have still not been recovered."
"At 0230 UTC on December 22nd, 2020 [Cover Protocol] successfully dispersed ETH/DAI-LP tokens to users worth $5.688m representing approximately 73% of funds."
"It’s our commitment to ensure the longevity of the Warp Finance protocol through initially reimbursing the recovered collateral and then making efforts to compensate and incentivize user’s involvement in Warp Finance’s vision."
Warp Finance offered a lending platform where you can stake your liquidity provider tokens and earn interest.
Of course, you have to put your tokens into a smart contract. A hacker decided that they wanted the coins in the smart contract.
The exploit was highly inefficient and required some collateral which offset the losses, however the hacker still profited millions which was not returns to affected users.
HOW COULD THIS HAVE BEEN PREVENTED?
Always be careful with where funds are stored. Smart contracts are not provably secure. The best security for the storage of cryptoassets is an offline multi-signature wallet.
Rekt - Leaderboard (May 13)
Rekt - Warp Finance - REKT (May 16)
Hackers Withdrew $7.7 Million From Warp Finance's DeFi Protocol (May 18)
@warpfinance Twitter (May 18)
warp.finance (May 18)
Hacker drains DeFi protocol Warp Finance, nearly $8 million lost (May 18)
Warp Finance Recovers $5.8 Million Days After Hack - Decrypt (May 18)
Warp Finance Exploit Summary - Recovery of Funds (May 18)
Warp Finance loses $7.7 million in flash loan Defi hack | Bitcoin Insider (May 18)
Warp Finance Announces Promising Strides Towards Recompensating Users After $8 Million Flash Loan Attack | Crypto News Point (May 18)
CipherTrace Cryptocurrency Crime and Anti-Money Laundering Report 2020 (Jun 20)
SlowMist Hacked - SlowMist Zone (May 18)
Blockchain Hacks: 2020 | $15 billion lost, how can we mitigate hacks in 2021? | CertiK Foundation Blog (Jul 23)