Flash loan attacks are effective again and again, with over $16 million stolen from DeFi in one week

Hackers used flash loans to obtain $16.4 million in ETH and Dai from DeFi projects Akropolis, Value DeFi Protocol, and Origin Protocol.

The Value DeFi attacker exchanged ETH obtained through flash loans for DAI and USDT, and deposited part of the DAI into the Value DeFi multi-stablecoin machine gun pool. They then conducted a series of stablecoin swaps between USDT, USDC, and DAI in order to exploit the pricing of the Value DeFi machine gun pool withdrawal method, causing a loss of $7.4 million before the hacker returned $2 million.

Value DeFi has stopped the operation of the machine gun pool because the team needs to obtain the account balance of each user who deposited funds before the attack to calculate the accurate compensation amount.

As for Origin Protocol, which was hacked for $7 million, similar methods continue to use flash loans on liquidity platforms such as Uniswap. At the same time, funds deposited in the machine gun pool were also frozen as the company warned that it is recommended not to buy any OUSD because the current price does not reflect its underlying assets. If Origin cannot retrieve the funds deposited by users, the team is expected to come up with a plan to compensate users.

The reason for Akropolis' loss of $2 million was the use of pool tokens without asset backing. Akropolis has added checks on deposited tokens, as well as reentry protection for deposits and withdrawals. Next week, the team plans to conduct additional contract testing and gradually reopen the AKRO & ADEL staking pools.

With flash loans, users can borrow money directly from DeFi protocols without providing collateral, provided that the loan is repaid in the same block. This allows speculators to exploit protocol vulnerabilities without requiring a large amount of initial capital. As DeFi attracted a large number of new users due to its ridiculously high annualized returns (exceeding traditional bank savings) in 2020, such attacks have been on the rise.

Some in the DeFi community view flash loans as dangerous tools that put user funds at risk, while others believe they simply expose protocol vulnerabilities earlier. If one thing is clear, it’s that flash loans are helping to clear out weaknesses in the space, albeit at a high cost to some users.

According to Crypto Briefing, as 2020 draws to a close, $346 million has been stolen from DeFi protocols so far. The next step for these protocols is to work with security companies to recover the lost funds.