Investors are depositing millions into new DeFi protocols launched by anonymous developers, at times only to be wiped away in a hack.
The latest to suffer that unfortunate fate is Warp Finance.
Promising to be a money market where users can borrow and lend tokens and stablecoins representing liquidity in automated market makers, Warp rapidly saw its total locked value climb to $8 million in the week after its launch.
Yet on Dec. 17, Warp became the latest victim of a flash loan exploit.
Around 23:00 UTC, a suspicious transaction began making the rounds after a tweet from DeFi investor “CryptoCat.” The user highlighted that an address had executed a transaction that allowed them to withdraw all $7.8 million in stablecoins from Warp’s lending contracts.
For this to be possible, the user should have deposited collateral valued at more than the $7.8 million they withdrew. But this was not the case: through a series of flash loans and trades, the attacker managed to trick the platform to let it withdraw all capital from Warp’s stablecoin pools without depositing a single dollar of their own capital.
In total, the attacker received 1,462 ether from the transaction, valued just under $1,000,000.
The cost, $134 in transaction fees.
The main tool the attacker utilized is flash loans—decentralized loans that are valid for only one block and require no collateral to be opened. If the taker of a flash loan returns the funds they borrowed and the fee within the same transaction, they can do what they please with the funds.
In Warp’s case, the attacker used capital from the flash loan to create Uniswap liquidity provider tokens, manipulate how Warp perceives the price of the LP tokens via a large trade, then use the inflated collateral to withdraw stablecoins from Warp.
While the attacker drained $7.8 million from the Warp pools, they only made approximately $950,000.
Approximately $1.05 million worth of the funds withdrawn were distributed to Uniswap and SushiSwap liquidity providers, which facilitated the trades involved in this exploit. Then, another ~$5.8 million worth of LP tokens were in Warp’s lending contracts.
Peckshield, an auditing company, broke down the details of the exploit here.
The Recovery Process
Because $5.8 million worth of LP tokens was left in the contract after the attack, many were quick to ask if there was any chance of recovery.
But because the value of most user deposits was $0, no one could feasibly withdraw the LP tokens without depositing more collateral. Further, Yam co-founder Brock Elmore pointed out that the LP tokens were still ultimately owned by the attacker.
After a “war room’ effort with white-hat hackers like Paradigm’s “Samczsun” and Yearn.finance’s “Banteg”, a potential solution was identified.
Work is currently being done to extract the LP shares from the smart contract to be distributed to affected users.