The decentralized finance (DeFi) protocol New Free DAO encountered a chain of attacks on flash loans on Thursday, leading to losing of $1.25 million. The native token’s price fell 99% after the attack.
The attacker is considered to exploit an unverified contract and apply the function “addMember()” to activate itself as a member. The attacker then performed three flash loan attacks with the backing of the unverified contract.
The attacker borrowed wrapped BNB (wBNB) through a flash loan and exchanged them all for NFD. Then, the contract was utilized to create various ones to receive the airdrop rewards multiple times and all these rewards were re-exchanged into wBNB.
The attacker then repaid the BNB loan and exchanged a portion of the remaining BNB for BSC-USD, the blockchain’s Binance-Peg token, and converted it to Tornado Cash.
Hugh Brooks, Director of Security Operations, suggested that the exposure resides in an unverified rewarding contract implemented by the new DAO project. However, as the rewarding contract was not verified, they could not find the root cause.