Earning.farm, a user-friendly yield machine for Ethereum (ETH), Wrapped Bitcoin (WBTC) and USD Coin (USDC) holders, is exploited by malefactors.
Earning.farm drained for almost $1 million, here's how
As per a statement shared by California-based Web3 security vendor Supremacy Inc., earning.farm DeFi suffered two attacks yesterday, Oct. 15, 2022.
1/ Hi, @EarningFarm, your EFLeverVault contract was hit by a Flashloan attack that resulted in a cumulative profit of 480 Ether from the MEV Bot and 268 Ether from the hackers. here is a brief vulnerability analysis of the attack.https://t.co/Faw9FyWae1 pic.twitter.com/jhXuqbq1dJ— Supremacy Inc. (@Supremacy_CA) October 14, 2022
EFLeverVault, a key element of earning.farm DeFi's design, was targeted by flash loan attacks. Due to an architecture flaw of its contract, attackers managed to withdraw all Ethers (ETH) stored in the contract that was designed to act as collateral.
As explained by a seasoned blockchain security researcher Daniel Von Fange, a contract of EFLeverVault filed to verify the initiator of the large withdrawal:
The 750 ETH hack from EFLeverVault a few hours ago happened because the contract did not verify that flashloan callbacks were actually initiated by the protocol, allowing the attacker to tell the protocol to withdraw large amounts of funds
As a result, a total of 750 Ethers was siphoned from the protocol: 480 Ethers ended up in an MEV bot, while 268 Ethers were withdrawn by hackers.
Hack season instead of "Uptober"
As Ethereum (ETH), the second largest cryptocurrency, was changing hands at $1,300 yesterday on major spot trading platforms, net losses might exceed $950,000.
October 2022 will be remembered as a month of unmatched attacks against the mainstream DeFi infrastructure. On Oct. 7, 2022, a bridge between two elements of BNB Chain was exploited for $566 million.
On Oct. 12, Solana-based liquidity protocol Mango was drained of $100 million as a malefactor managed to manipulate the price oracles.
Later, the Mango community agreed to pay the largest bug bounty to the hacker: they receive $47 million and return the rest of the funds affected.