Elephant Money

Elephant Money Flash Loan Exploit - April 12-13, 2022

Overview

On April 12-13, 2022, Elephant Money, a stablecoin platform that employs the TRUNK token, was a victim of a flash loan assault, which manipulated a token price oracle, resulting in a $22.2 million loss. According to a statement by cybersecurity team BlockSec, Elephant Money DeFi protocol fell victim to a price manipulation attack that started with borrowed Wrapped Binance Coins (WBNB).

Attack Mechanism

The attacker initially borrowed 91,035,000 BUSD and 131,162 WBNB via flash loans. The vulnerability stemmed from the process where BUSD was exchanged for WBNB, which was then utilized to purchase ELEPHANT, leading to artificial inflation in ELEPHANT's value while TRUNK was being minted.

Profit and Cycle

After returning the flash loans, the attacker profited by approximately $4 million in a single cycle. This process was not a one-time event. The attacker repeated the cycle, significantly multiplying the illicit gains. The cumulative result of these repeated actions led to the attacker amassing over 27,000 WBNB, equivalent to around $11.2 million.

Fund Laundering

Some of the funds were bridged to Ethereum, and others were sent to Tornado Cash, a popular cryptocurrency tumbler, in an attempt to launder and obscure the origins of the funds.

Sources

• Top 10 Flash Loan Attacks - ImmuneBytes

• Elephant Money Hack Detailed Analysis - ImmuneBytes

• Hackers Steal $11M from Elephant Money - The Record

• DeFi Hacks Timeline - ChainSec