‘Very clever flash loan attack’ drains US$800k from Wault Finance’s WUSD stablecoin just 10 hours after launch
Link copied to
A flashloan attack has hit Wault Finance, a decentralised finance project on Binance Smart Chain and Polygon with US$335 million total value locked (TVL) in its protocol.
The attack involved WUSD, the project’s just-released “commerce-backed” stablecoin that’s backed by a mix of 90 per cent Tether and 10 per cent of Wault’s WEX token.
The attacker used flashloans — uncollaterialised blockchain loans that are borrowed and repaid in the same transaction — to carry out the arbitrage attack.
According to an account by security firm Inspex, the attacker used a complex series of flashloans and tokens swaps to profit. In essence, they seemed to have minted millions in WUSD, used those funds to buy WEX to pump the price, causing WEX to triple in value. They then redeemed the WUSD at that inflated rate and they dumped the WEX for an instant US$800,000 profit.
4. The attacker staked the flashloaned $USDT to WUSDMaster contract. The 10% of staked $USDT was swapped to $WEX ($WEX price was increased) and the attacker gained the $WUSD with a 1:1 rate. pic.twitter.com/xptL1SO9bq
— Inspex (@InspexCo) August 4, 2021
Wault Finance described it as a “some kind of very clever flash loan attack”.
All of the WEX that was wrapped up in the WUSD contract was drained, meaning that tokenholders in the stablecoin are out 10 per cent.
However Wault Finance was pledging to use US$150 million in its treasury and other means to fill the gap and restore the WUSD token’s collateral.
(1)There was a flash loan attack on WUSD. We’re investigating it with 3 audit firms, and minting is temporarily disabled.
The initial estimated attacked amount is 800k.
However, the 90% of USDT collateral is secure as intended, along with all pools & vaults. Good news below V
— Wault Finance (@Wault_Finance) August 4, 2021
The price of Wault’s WEX token plunged from US1.5c to US0.6c as word of the attack spread.
“Will there be rewards for the injured?” one user asked in Wault’s Telegram chat. “‘Cause it’s f***king disgusting how it happened, it wasn’t a normal market pullback.”
Some users of Alpaca Finance, a platform where people could take leveraged positions involving Wault Finance’s tokens, were reporting being liquidated.
Wault had launched WUSD at 2am AEST today and the attack occurred less than 10 hours later, at 11.49am AEST. Over US$10 million in WUSD had been minted in the first few hours of the launch, Wault tweeted before the attack.