Theft topped out at six figures after DeFi platform blocked ‘token balance multiplier’ exploit

Flurry Finance heist nets crypto thieves $295k

UPDATED Around $295,000 has been drained from the vaults of decentralized finance (DeFi) platform Flurry Finance following a hack on its smart contracts.

The attack took place on Tuesday (February 22) when a malicious hacker deployed an exploit that enabled the increase of a multiplier influencing the balance of rhoToken, a deposit token used by Flurry Finance for yield aggregation.

The upshot was an increase in the attackers’ token balance and the illicit withdrawal of additional funds, according to blockchain security company CertiK.

The attacker managed to repeat the process several times before Flurry Finance blocked further withdrawals by pausing smart contracts running on Polygon and the Binance Smart Chain (BSC).

CertiK told The Daily Swig that it detected suspicious activity within 15 minutes of the attack occurring and notified Flurry Finance as soon as it had verified an attack was taking place.

Flash loan

CertiK said the attacker unleashed a malicious token contract, created a PancakeSwap pair for the token and Binance USD (BUSD), then took out a flash loan from Rabbit Finance’s bank contract.

Triggering the StrategyLiquidate function, which “decoded input data as the LP token address created in the previous step”, enabled execution of malicious code that rebased all vaults and update multipliers for rhoTokens.

YOU MIGHT ALSO LIKE Crypto firm MakerDAO offers record $10m in newly launched bug bounty program

“Because the rebasing was triggered in the process of a flashloan and tokens borrowed from the Bank contract were not returned yet, the low balance in the Bank contract led to a low multiplier,” explained CertiK.

After returning the flash loan and concluding the preparation transaction the attacker proceeded to deposit tokens with the low multiplier, updated the multiplier to a higher value, then withdrew tokens with the high multiplier.

CertiK, which audits smart contracts for Flurry Finance, has emphasized that “the exploit was caused by external dependencies”.

Rebasing on hold

In a community alert posted on Twitter yesterday (February 25), Flurry Finance said:

“Our team has got to the bottom of the issue, and [is] currently upgrading all the smart contracts on rhoTokens in order to avoid the exploitation from happening again.

“However, during the upgrade, the rebasing feature and all rhoToken services will remain suspended until further notice. We apologise for the inconvenience.”

Read more of the latest cryptocurrency security news

Flurry Finance told The Daily Swig on March 1: “Our team is in full swing to redeploy all smart contracts on the FLURRY protocol after a full sweep of security checks again. We will issue the hack report/ compensation plan later this week. [We] hope it will give you more idea on the hack, and [the] other precautionary [measures taken].”

The attacker’s ill-gotten gains are relatively minor in the context of cryptocurrency hacks that regularly lead to eye-watering seven- or even eight-figure losses.

For instance, money-laundering charges recently brought over the Bitfinex hack revealed that the attackers’ $70 million profits had since appreciated to $4.5 billion, while in December crypto-trading platform BitMart reported a $150 million theft.

This article was updated on February 25 with additional comment from CertiK, and then on March 1 with comment from Flurry Finance.

RECOMMENDED Jaw-dropping Coinbase security bug allowed users to steal unlimited cryptocurrency