Table of contents
No headings in the article.
Earning.farm is a simple yield machine for holders of Ethereum (ETH), Wrapped Bitcoin (WBTC), and USD Coin (USDC). It was exploited for around 750 ETH on October 14, 2022, at 12:27:11 PM +UTC. The attacker with the address, "0xdf31F4C8dC9548eb4c416Af26dC396A25FDE4D5F", managed to withdraw all ethers (ETH) stored in the Earning.farm EFLeverVault contract that was designed to act as collateral, using a flash loan attack.
The attack happened because the contract did not verify that flashloan callbacks were actually initiated by the protocol, allowing the attacker to tell the protocol to withdraw large amounts of funds. -Daniel Von Fange.
The contract was attacked twice, and the first attack was blocked and frontrun by an MEV bot "0xa57", which got 480 ETH and is known to have returned the funds, and the second attack was completed successfully with a profit of 268 ETH for the attacker.
The EFLeverVault handles withdrawal by making a flash loan to itself for that amount, when it receives the flash loan, it withdraws that amount of funds and leaves it in ETH on the contract. After the flash loan is over, the contract sends all ETH on the contract to the user. The attacker exploited this by making a tiny deposit, then a huge outside flashloan, causing the protocol to make a large withdrawal of ETH to itself. The attacker then withdrew their small amount of ETH, and the protocol sent both the small and the large amount it had to the attacker.
These attacks happened on Friday 14th October 2022, with the transaction details below.
More information about the hack.