Warp Finance has suffered a flash loan attack. According to the team, the attacker was able to suck nearly $8 million worth of stablecoins from the platform by borrowing more than they were ostensibly allowed to.
“The exploiter was able to remove $7.7m of stablecoins,” tweeted the lending platform on Thursday evening. “The team has a plan to recover approximately $5.5m that is still secured in the collateral vault. Upon successful recovery, these will be distributed to users who experienced a loss.”
Warp had earlier in the evening recommended that users not deposit stablecoins as it investigated “irregularities.”
The protocol announced itself at the end of October—and the platform officially launched on December 9—just eight days ago, making this a harsh introduction to the world of DeFi, where smart contracts stand in for banks.
A flash loan attack involves involves borrowing collateral and returning it in a single transaction after using it to manipulate price. White hat hacker Emiliano Bonassi reviewed the attack and believes it actually involved multiple “flash swaps” to three liquidity pools on decentralized exchange Uniswap—one each for Wrapped BTC, USDC, and USDT—as well as two loans from crypto trading platform dYdX involving Ether and DAI.
Flash loan attacks have been to blame for a series of recent losses on DeFi protocols, including an $89 million attack on Compound and a $34 million attack on Harvest Finance.
Warp has promised to publish a more detailed post-mortem in the coming days.