On Thursday, Dec. 17, the decentralized finance protocol Warp Finance became the latest project to lose funds in a flash loan attack.
The team just released a summary of what actually happened. They also promised to return most of the lost funds.
The attack, according to the post mortem report, was a flash loan exploit ‘due to a gameable oracle’. A flash loan is when collateral is borrowed and repaid within the same transaction.
Warp Finance Post Mortem
It added that the collateral value was worth less than the loan. This is why a standard liquidation was unable to take place. A total of $7.76 million was lost according to Warp Finance, which added that they had been able to return three-quarters of the user funds;
“The loan collateral has since been secured by the warp finance team and will allow us to return approximately 75% of users’ deposited funds, thanks to support from the Ethereum and white hat community.”
The attacker made several flash loans via the dYdX exchange, and multiple flash swaps via Uniswap. The attacker then executed a contract that flash swapped $180 million from Uniswap and flash borrowed $51 million from dYdX. This allowed the attacker to borrow more than their collateral. This resulted in a loss of stablecoin lender funds. Warp Finance relied on vulnerable Uniswap liquidity pool token prices, according to the Rekt Blog, which detailed the offending transactions.
75% of funds returned
In approximately 24 hours the protocol will distribute the recovered funds. Amounts to affected users will be proportional to the amount of W-USDC and W-DAI held at the time of the snapshot. Also, the platform will be issuing ‘Portal IOU’ tokens and users will need to redeem them on Uniswap.
“The reason we have chosen to return LP tokens instead of stablecoins is that these are the tokens we’ve been able to recover. We did not want to add any complexity or risk to the refund process.”
They stated that the recovered tokens are ETH/DAI-LP tokens. This means that the return is a token consisting of Ethereum and DAI deposits. Users can take these LP tokens to claim the underlying assets on Uniswap.
Several DeFi protocols have fallen victim to flash loan attacks recently. Known victims include Origin Protocol, Akropolis, and Harvest Finance.