Flurry Finance Vault Flash Loan Attack

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Flurry Finance

Flurry Finance is a yield farming protocol which offers a stablecoin with interest. An attacker was able to exploit the smart contract hot wallet and removed between $251,000 and $293,000 USD worth of funds by increasing their token balance using a Flash loan. The protocol has vowed to reimburse all affected users, and started to put together a description of what will be reimbursed, although this process is still underway.

This is a global/international case not involving a specific country.

About Flurry Finance

"Flurry Finance is the future of yield farming. The Flurry Protocol is a yield aggregator that provides earn, trade, and spend with stability, flexibility, and ease!" "No lockup periods, nor technical barriers, it offers a better user experience on DeFi that allows you to use your tokens as a medium of exchange while earning yield." "Start your passive income today with rhoTokens."

"FLURRY is the governance token of the Flurry protocol, available on swaps and exchanges." "By holding FLURRY, you can vote on various parameters in determining the development of Flurry protocol such as fee percentages, whitelisting or blacklisting yield farming DeFi protocols, or even proposing new strategies in the yield farming process. It is like stocks, except it is in token form on the decentralized network."

"Yield aggregators are tapped into Ethereum-based and Binance Smart Chain (BSC) based products, while FLURRY is targeting to work cross-chain in order to look for the best yield after taking the transaction cost into consideration." "The price of rhoToken is pegged 1:1 to the underlying stablecoin. As a result, rhoTokens can be spent the same way as the underlying stablecoin. Users do not have to redeem their rhoTokens before they use their fund. In other words, it is more flexible and user oriented, as your fund won’t be locked-up." "The whole yield generation process is fully automated and transparent to users. Flurry DApp gives a clear picture of how and how much interest is earned once you have made a deposit. All users have to do is to hold the rhoTokens and the wallet balance will grow to reflect the interest earned."

"rhoToken is a cross-chain token which it pegged 1:1 to its underlying stablecoin. The Flurry protocol automates the yield farming process with rhoTokens, sparing users all the tedious task of switching in and out of DeFi products on different chains to generate yield with your deposit. In return, you will get rhotokens (rhoUSDC, rhoUSDT, rhoBUSD) which you can hodl, trade and spend as a medium of exchange while earning an interest automatically - something that stablecoin couldn’t do."

"[The Flurry Finance] team [is] composed of graduates from Cornell University, Stanford University and Imperial College London, and pedigrees from JP Morgan, Barclays Capital, KBC Financial Products, Daiwa Capital Markets and Societe Generale."

"Flurry Finance’s Vault contract was hit by a flash loan attack, resulting in the theft of approximately $293,000 worth of assets in the Vault contract." "The attack took place on Tuesday (February 22) when a malicious hacker deployed an exploit that enabled the increase of a multiplier influencing the balance of rhoToken, a deposit token used by Flurry Finance for yield aggregation."

"CertiK said the attacker unleashed a malicious token contract, created a PancakeSwap pair for the token and Binance USD (BUSD), then took out a flash loan from Rabbit Finance’s bank contract."

"Per the report, the attacker deployed a malicious contract in the protocol and further created a PancakeSwap pair for the RhoToken against Binance stablecoin (BUSD)."

"The creation of the malicious contract code dubbed “FlurryRebaseUpkeep.performUpkeep()” rebases all update multipliers for RhoTokens." "After a while, the attacker returned the flash loan. Further investigations show that the attacker conducted another transaction, but this time, the attacker deposited tokens using a lower multiplier and subsequently updated the multiplier to a higher value."

"The hacker later made withdrawals with the higher multiplier." "Since the multiplier is one of the key reasons behind the spike in RhoToken balance, the attacker also recorded an increase in their own balance." "Based on this, they were able to withdraw more than what they deserved from the pool and the process was repeated several times, which resulted in more than $290,000 in losses."

"The illicit update was executed in the form of a flash loan and all tokens borrowed from the bank contract were not returned, and the low balance subsequently resulted in a low multiplier."

"Triggering the StrategyLiquidate function, which “decoded input data as the LP token address created in the previous step”, enabled execution of malicious code that rebased all vaults and update multipliers for rhoTokens."

“Because the rebasing was triggered in the process of a flashloan and tokens borrowed from the Bank contract were not returned yet, the low balance in the Bank contract led to a low multiplier,” explained CertiK.

"After returning the flash loan and concluding the preparation transaction the attacker proceeded to deposit tokens with the low multiplier, updated the multiplier to a higher value, then withdrew tokens with the high multiplier."

CertiK, which audits smart contracts for Flurry Finance, has emphasized that “the exploit was caused by external dependencies”.

“Our team has got to the bottom of the issue, and [is] currently upgrading all the smart contracts on rhoTokens in order to avoid the exploitation from happening again.”

"Our team is doing our best to investigate the exploitation. As a precautionary measure, we have paused all smart contracts of rhoTokens including those on #BSC and #Polygon, which means converting/ redeeming rhoTokens,"

"It is worth noting that the attackers only exploited funds in the FinanceRabbit Strategy. In an effort to prevent things from escalating, Flurry Finance announced that it has suspended all smart contract activities for RhoTokens on all networks."

"Flurry Finance told The Daily Swig on March 1: “Our team is in full swing to redeploy all smart contracts on the FLURRY protocol after a full sweep of security checks again. We will issue the hack report/ compensation plan later this week. [We] hope it will give you more idea on the hack, and [the] other precautionary [measures taken].”"

"We have been working day and night, not only to tighten the security system of the Flurry Protocol (FlurryPro), as well as to upgrade all relavant rhoToken contracts in preparation for redeployment to compensate the losses induced by this unfortunate incident to all affected users."

"As mentioned in previous tweets, we will compensate all losses induced by this incident to our users. However, since it will involve the redeployment of rhoTokens, it will take us some time to restore the rhotokens balance for all rhoToken hodlers." "Our team Flurry Finance would like to thank you for your patience and support throughout the unfortunate incident in which the exploitation has cost the loss of a total sum of USD 250,668.11 on the Flurry Protocol (FlurryPro)."

"The redeployment will be ready by the week of 21 March." "Our team will create a new rhoUSDT & rhoBUSD contract on BNB Chain, which remains to be pegged 1:1 to its underlying stablecoins. All affected users’ balances will be restored automatically once the new smart contract is being deployed." "Users will only have to add the newly deployed rhoUSDT or rhoBUSD in your wallet to see the token balance."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

Known history of when and how the service was started.
What problems does the company or service claim to solve?
What marketing materials were used by the firm or business?
Audits performed, and excerpts that may have been included.
Business registration documents shown (fake or legitimate).
How were people recruited to participate?
Public warnings and announcements prior to the event.

Don't Include:

Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

When the service was actually started (if different than the "official story").
Who actually ran a service and their own personal history.
How the service was structured behind the scenes. (For example, there was no "trading bot".)
Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Flurry Finance Vault Flash Loan Attack
Date	Event	Description
February 22nd, 2022 4:18:00 PM	Main Event	Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.

Total Amount Lost

The total amount lost has been estimated at $251,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?