Allbridge is offering a bounty to the hacker who knocked of $573K from the platform in a flash loan attack. On April 3rd, Allbridge tweeted that the hacker contacted them are returned 1500 BNB. The bridging solutions provider added that a second address associated with the hack did not contact them yet. The second address contains 0.97 BNB or around $300. Allbridge is trying to reach out to the second attacker as well.
“The remaining funds will be considered a white hat bounty to this person,” Allbridge added.
A flash loan attack involves a hacker availing a flash loan (a sum loaned without collateral, but must be paid in the same transaction/block) and then manipulating prices on another chain.
The hacker, masquerading as a liquidity provider and swapper, manipulated the swap price on the BNB Chain. In the process, the hacker pocketed $282,889 in BUSD and $290,868 in USDT (total being $573,757). PeckShield, a blockchain security firm was the first to discover the hack; it reported the hack on Twitter on April 1st.
Allbridge temporarily shut down the bridge to prevent exploits on other pools.
Smart contract and blockchain security platform CertiK explained the hack on Twitter on April 2nd. After making flash loan of 7.5 million BUSD, the hacker made several swaps and deposits in the BUSD and USDT liquidity pool. Finally, the attacker manipulated the price and swapped 40K BUSD for close to 2 million USDT on Allbridge. From the attack, the hacker stole ‘approximately $549,874.’
Soon after the hack was discovered last Saturday, Allbridge offered the hacker a chance to come out as a white hat (an ethical hacker who identifies anomalies, loopholes in a piece of code).
According to CertiK, in the second quarter of 2022, 27 flash loan attacks saw $308 million being stolen. On March 31st, Peckshield reported that 26 hacks were reported in March alone.
Allbridge’s statement: “Please contact us via the official channels (Twitter/Telegram) or send a message through tx, so we can consider this a white hat hack and discuss the bounty in exchange for returning the funds.”
However, Allbridge warned that they are actively tracking the hacker via social networks with the help of “partners and community.”
“We are also talking with projects that were affected by the hacker, who may assist us in pinpointing the attacker.” Allbridge tweeted. Allbridge added that it is working with law firms and law enforcement agencies to track the hacker.
Euler Labs, a non-custodial lending and borrowing protocol suffered an exploit that wiped out over $190 million on March 13th. Post negotiations with the hacker, Euler convinced the hacker to return 90% of the ‘recoverable funds.’
Flash loans can be used to make legitimately if the loans generate profit. However, attackers manipulate the protocol’s smart contract to artificially create arbitrage opportunities and netting huge sums in the process. When huge sums are loaned and withdrawn instantly, the entire pool will suffer.
Given that flash loans are a relatively new concept (AAVE introduced flash loans in 2020), it will be a while before protocols are completely protected against flash loan attacks.
Source: https://www.thecoinrepublic.com/2023/04/06/allbridge-flash-loan-attack-hacker-accepts-bounty-returns-funds/