filda-854FilDAFilDA is a highly secure decentralized digital asset banking platform. Huobi ECO Chain (HECO) and IoTeX provide a safe and secure environment with fast transactions and low fees. An exploit was orchestrated by an attacker on FilDA-ESC resulting in a lost of $1.677M of various stablecoins. The root cause of this issue is that the protocol does not handle flashloans of ERC677 tokens properly. Identified attack path was: 1. The underlying token is borrowed via a flashloan. 2. The borrowed token is then deposited into the protocol via the callback function, which is controlled by the attacker. Lots of extra fTokens are minted at this step. 3. The borrowed token is returned to the protocol via a flashloan callback, but lots of fTokens are left to the attacker. 4. Most of the cash in the lending pool is redeemed.

Detail Analysis

< Back

FilDA

Submit Incident Report

Date:

Status:

Count:

Contributor:

April 12, 2022

Verified

zerofriction.io

Loss Amount:

1,677,000

Recovered Amount:

Currency:

Dollars, USDC, HUSD, BUSD, BTC, ETH

KYC By:

Audit By:

None

Certik, FairyProof, PeckShield, SlowMist

Website:

https://www.filda.io/

Twitter:

https://twitter.com/fildafinance

Discord:

No data

Telegram:

https://t.me/FilDAcommunity

Medium:

https://fildafinance.medium.com/

Github:

https://github.com/fildaio/FilDA

Key Indicators

Platform:

Type:

Category:

Method:

Elastos Sidechain

Protocol

Lending

Contract Vulnerabilities

Extended Method:

Does not handle flashloans of ERC677 tokens properly

Data Sources:

https://fildafinance.medium.com/filda-incident-community-update-ii-e80b05cd0d2

FilDA is a highly secure decentralized digital asset banking platform. Huobi ECO Chain (HECO) and IoTeX provide a safe and secure environment with fast transactions and low fees. An exploit was orchestrated by an attacker on FilDA-ESC resulting in a lost of $1.677M of various stablecoins.

The root cause of this issue is that the protocol does not handle flashloans of ERC677 tokens properly.

Identified attack path was:

1. The underlying token is borrowed via a flashloan.
2. The borrowed token is then deposited into the protocol via the callback function, which is controlled by the attacker. Lots of extra fTokens are minted at this step.
3. The borrowed token is returned to the protocol via a flashloan callback, but lots of fTokens are left to the attacker.
4. Most of the cash in the lending pool is redeemed.

DISCLAIMER: While Zero Friction LLC has used the best efforts in aggregating and maintaining this database, Zero Friction LLC makes no representations or warranties with respect to the accuracy or completeness, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose.

Under no circumstances, shall Zero Friction LLC be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the dataset or information derived from our database.

< Back