Hacker drains DeFi protocol Warp Finance, nearly $8 million lost

Another DeFi project got hacked and lost about $8 million of user funds in DAI and USDC. The attacker exploited a sophisticated multi-protocol flash loan scheme and Tornado Cash to hide the digital trace. 

Warp Finance is a DeFi platform that claims to offer "an optimized lending solution powering a liquidity engine." In other words, they allowed users to take cryptocurrency loans using stablecoins as collateral. The project was launched in October 2020. 

What happened to Warp Finance money

Late on Thursday, the community members noticed irregular activity on Warp Finance protocol. Someone used multiple transactions within the flash loan scheme to drain USDC and DAI vaults of the protocol. 

Flash loan is a handy DeFi feature that allows anyone to get an instant loan without the collateral provided that it is repaid within the same block. In the case of Warp Finance, the hacker used a complex scheme to loan more than their collateral value, which led to a lender losing money.

The project team confirmed the hack and recommended to refrain from depositing stablecoins to the protocol until the situation was investigated.

The exploiter got away with $7.7 million in DAI and USDC; however, the team claims that there are approximately $5.5 million that can be recovered from a collateral vault and used to cover the losses.

We will post a more detailed analysis and next steps for http://warp.finance in the coming days when we have a more robust understanding of the exploit that took place.

Emiliano Bonassi, a founder of  DeFi Italy and a white hacker, noticed that hackers tend to launch complicated attacks with multiple loans and swaps on several protocols.

This is the second attack, which uses multiple flash liquidity, flash swaps via Uniswap, and flash loans via dYdX. We will see very complicated things via AaveAave V2 batch flash loans :)

The hack turned out to be costly

Meanwhile, another DeFi expert Nick Chong noted that hackers got away only with $1 million in ETH, while the rest went to paying fees. 

What I immediately find interesting here is that it appears that much of the attacker's bounty went to fees. There was 3.85m DAI and 3.92m USDC in the Warp contracts. The attacker (seemingly) left with $1 million in ethereum (1,462 ETH).

He further explained that the attacker pumped millions through illiquid Uniswap pairs, which resulted in significant slippage on the flash swaps.

The DeFi industry is vulnerable to hack attacks, and Wrap Finance is not the first victim. FXStreet previously reported that Pickle Finance lost nearly $20  of users' funds in DAI tokens. The attacker found and exploited a vulnerability in a smart contract to drain the money. Since the start of the year, the industry lost over $100 million due to hack attacks.