Today, on June 21, 2021, an Impossible Finance (IF) decentralized financial protocol faced an attack that resulted in six-digit losses. According to the analysts, the design of hack may not be novel at all.
Impossible Finance (IF) protocol suffers devastating attack
Mr. Mudit Gupta, core developers of SushiSwap (SUSHI) decentralized exchange, has reported that Impossible Finance protocol has been targeted by an attack. Malefactors issued fake token and launched the liquidity pool with it.
Despite that Impossible Finance (IF) isn’t a fork of BurgerSwap (BURGER) DeFi, the designs of two attacks look similar for the analysts.
Ex-Binance Research's Calvin Chu, developer at Impossible Finance, claimed that the scenario of the attack wasn’t ‘simple’ and his team is working on a solution to mitigate the ongoing issues.
Net amount of funds stolen is estimated at almost 230 Ethers or more than $500,000 at the time of attack.
One scenario, many hacks
WatchPug team tasked with the smart contract security issues in DeFi segment, shared the details of the attack design. According to them, the hackers created a liquidity pool with a fake token AAA (BBB).
Then, with the assistance of Impossible Finance router through the FAKE token liquidity pool, the attackers swapped IF tokens to BUSD stablecoins multiple times.
Initial liquidity required for the attack - 233 Binance Coins (BNB) – had been borrowed as a ‘flash loan’ on PancakeSwap, the most popular DeFi on Binance Smart Chain.
It is the vulnerability of a liquidity pool contract that make the entire hack possible, add WatchPug experts.