AutoShark Lightning Loan Attack: Price Flash Crash 99%

2021-05-25 18:20

Read this article in 6 Minutes

Attacking known vulnerabilities is a common foraging method used by attackers in the still developing Defi field

原文标题：《 Duang～Shark 闪跌 99%！Fork 了 Bunny 的代码还 Fork 了它的攻击》

原文来源： PeckShield

This week, the price of the Defi contract, which was attacked by lightning loans, collapsed like the weather in May. Now, with the frequent flash loan attacks that have seen the price of several tokens close to zero a week and the loss of hundreds of millions of dollars, are the DEFI developers really paying more attention to code security after the frequent attacks?

On May 24, Beijing time, Peckshield "PaiShield" alert showed that Fork revenue aggregator PancakeBunny's Defi protocol AutoShark Finance was hit by a lightning loan attack. Influected by the attack, the price of Shark crashed. The drop briefly reached 99 percent.

Peckshield's first tracking and analysis revealed that the attack method was similar to that of Pancakebunny, who was attacked by lightning loans five days ago.

According to AutoShark Finance, it is based on the number of transactions on the BSC chain. The decentralized exchange PantherSwap, rather than Pancakeswap, makes it immune to attacks by Pancakebunny.

Users are available at PantherSwap The LP tokens obtained by market making can be put into AutoShark Finance to generate compound interest. Unfortunately, it did not escape. PancakeBunny Code to bring the same vulnerability attack.

Peckshield: A brief description of the attack process:

Attackers borrow 100,000 BNB's from Pancakeswap's lightning loan and convert 50,000 BNB's into Shark Tokens, and deposit the remaining 50,000 BNB's and converted Shark Tokens into PantherSwap to increase liquidity. Get the corresponding LP Token; When the getReward() function is called, a large amount of liquidity is injected and the value of LP token is raised. The attacker is rewarded with 100 million SHARKS. After withdrawing the liquidity, the attacker returns the lent Lightning Loan to complete the attack. The attacker then converts them to ETH in batches via Nerve (Angswap) across the chain bridge, and Peckshield's anti-money laundering situational awareness system, Coinholmes, continuously monitors the dynamics of the transferred assets.

After Pancakebunny was hit by a flash loan attack, AutoShark Finance posted an analysis of how Pancakebunny's attack worked and highlighted the importance they put on security: "We've done 4 code audits, 2 of which are ongoing."

After a similar Defi attack, do protocol developers really check to see if their contracts have similar vulnerabilities? Does it increase the importance of protocol security? Not enough, it seems, given the attack on AutoShark Finance.

"Attacking known vulnerabilities is a common forage method for attackers in the still developing Defi field," said Peckshield's security director. "The importance of the Defi protocol security is not just about paying attention to it, but about the code we have to do: Was there a static audit before the protocol went live, was there a self-examination of the code after other protocols were compromised, and was there a security risk with the interactive protocols?"

In addition, PeckShield "PaiShield" reminds investors that after a DEFI protocol is attacked, they need to strengthen the attention of similar protocols to avoid the risk of homologation. When the currency price falls after the attack, it is suggested that investors should not easily seize the rebound.