Supported cryptocurrencies:
BTC BTC
BCH Bitcoin Cash
NANO NANO
XTZ Tezos
2 NANO
EnglishLooking to understand the DEFI Pickle Finance flash loan attack

Decentralised finance flash loan attacks seems to be occurring frequently. Etherscan tx id: https://etherscan.io/tx/0xe72d4e7ba9b5af0cf2a8cfb1e30fd9f388df0ab3da79790be842bfbed11087b0 What steps did he do and managed to withdraw 20 million from the users? How he started it ? ( Did he use a wallet? Wrote a function?) What did it cost him ? (Initial capital to begin the attack) What vulnerabilities did he saw and where? Thanks

Missalikh 5 months ago
    Tags:
  • Defi
  • Finance
  • Flashloan
  • Attack
question_image


CryptoHelp 5 months ago
Hi. This will answer all your questions https://cointelegraph.com/news/pickle-in-a-pickle-as-attacker-swipes-20-million-in-evil-jar-exploit
Agus 5 months ago
goodd,, thanks for information
Stonker 5 months ago
he swapped the jars
Missalikh 5 months ago
How, I am asking for precise information
Praghadeesh 5 months ago
What is a flash loan?
A flash loan is a decentralized finance innovation initiated by DeFi lending protocol in January. The product allows users to borrow loans without putting up any collateral. A flash loan does not conduct any credit check on borrowers.

Flash loans have gained popularity among arbitrageurs, as they may conduct the following steps to reap quick profits:

Borrow loans.
Use loans to buy tokens at a lower price on one DEX.
Resell the same tokens at a higher price on another DEX.
Repay the loan and interest.
Keep the profit.


In the case of Harvest Finance, hackers took for arbitrage profits and manipulated the DeFi market:

Hackers first sourced 50 million USDC and 18.3 million USDT flash loans from .
Hackers then converted 17.222 million USDT into USDC via , a liquidity pool in Curve Finance. The massive USDT-to-USDC conversion drove up the price of USDC and the amount of converted USDC became only 17.216 million.
Hackers then deposited 49.97 million USDC into Harvest Finance's USDC vault and received 51.46 million fUSDC. Following the deposit, the price of USDC per share decreased by 1% (from 0.98 to 0.971). As the value change did not exceed the threshold of 3%, the transactions were executed and did not revert.
Hackers converted all fUSDC to USDC with a profit of 619K USDC. Then, they repeated the same transaction several times to reap quick profits.
The hackers transferred 13 million USDC and 11 million USDT to their addresses. Then, they transferred 1.76 million USDC and 718K USDT back to the Harvest Finance team.
Can flash-loan attacks be stopped?
The Harvest Finance team identified a few possible solutions to preventing flash-loan attacks. The first one is to implement a commit-and-reveal mechanism for deposits. This mechanism would make flash-loan attacks infeasible by disabling deposits and withdrawals in the same transaction. For users, this means the deposits and withdrawals are recorded in different transactions — and they would pay slightly higher gas fees for that. The team also plans to set a lower threshold for stricter deposit arbitrage checking, which increases the economic costs to launch flash-loan attacks.
Missalikh 5 months ago
My question is about Pickle finance not for Harvest finance.
pacomesoual 5 months ago Correct
From my understanding, he exploited a vulnerability in their authentification system for contracts files and created fake contracts JARs that would get aproved then swapped them with real contracts to do fraudulent financial operations without being noticed fast enough for it to be stopped/fixed.
I believe the vulnerability has been fixed now, well... this one, anyway.
pacomesoual 5 months ago
yeah, i looked more into it and it seems he did exactly that, he created a normal approved contract and swapped the contract itself with another fraudulent one he tweaked, but keeping the "authorized" part of it intact and untouched.
Missalikh 5 months ago
Thanks paco, your explanation is good. Appreciated.