Warp Finance

Warp Finance Hack - December 2020

Overview

On December 17th, 2020 the Warp Finance protocol experienced a flash loan exploit due to a gameable oracle that resulted in the user being able to withdraw a $7.76m loan. The platform was launched only 9 days ago.

How the Attack Worked

An unknown user used the flash loan scheme to drain the DAI and USDC vaults of the protocol through multiple transactions. The hacker utilized a complex scheme to retrieve a value much higher than the collateral limit, making the lender lose money.

The technical details involved manipulating the unit price of LP Token to obtain more stable currency loans. The execution of the exploit involved multiple flash loans via dYdX, multiple flash swaps via Uniswap and multiple instances of flash liquidity.

Impact and Recovery

The attacker took out a flash loan which allowed them to borrow more than the amount of collateral they put down, which resulted in the loss of 3.85 million DAI and 3.92 million USDC.

On December 20th, 2020 at 0216 UTC the Warp Finance team successfully recovered the exploiter's loan collateral in the form of ETH/DAI-LP tokens. The value is approximately $5.85m, which is ~75% of the $7.76m lost funds.

Sources

• https://invezz.com/news/2020/12/18/warp-finance-loses-7-7-million-in-flash-loan-defi-hack/

• https://slowmist.medium.com/analysis-of-warp-finance-hacked-incident-cb12a1af74cc

• https://warpfinance.medium.com/warp-finance-exploit-summary-recovery-of-funds-5b8fe4a11898

• https://www.coindesk.com/markets/2020/12/18/warp-finance-suffers-possible-8m-flash-loan-attack

• https://decrypt.co/52125/warp-finance-recovers-5-8-million-days-after-hack