At 7:00 PM UTC on Tuesday April 12th 2022, an exploit was orchestrated by an attacker on FilDA-ESC. The dev team immediately began to diagnose the cause alongside our security partners. The cause has been preliminarily identified, and the dev team urgently suspended all deposits and borrowing on FilDA-ESC.
Please note that FilDA contracts on HECO, IoTeX, Arbitrum, Polygon and BNB Chain are unaffected by this incident. They remain active and open.
Summary
1. Compromised funds: 1,677,000 USD (but could reach up to 2 million USD)
2. It’s our responsibility for the engineering error, and we are taking every measure to ensure such incidents won’t happen again.
3. Getting back the funds is the top priority. People are suffering from this loss. We humbly request the attacker returns the funds.
4. We plan to suspend all operations of FilDA (including withdrawal and repayment) for snapshot at 5:00 AM UTC on April 15th. A plan to reopen the market on ESC and a remediation plan for affected users is being drafted.If you have lost funds please contact us here: https://forms.gle/7BTJX3YwTm8Chq7U6
Compromised funds
Compromised Assets:
- USDC 279,341
- HUSD 721,673.8
- BUSD 440,158.353
- BTC 4.402465184
- ETH 17.91882523
Chains:
(Attacker Address; Balance)
ETH: 0x93c3A8051b8ba814eB5FB22d655681720E6a4d74;
- 703,266.3649 DAI
- 80.4495 ETH
Heco: 0x93c3A8051b8ba814eB5FB22d655681720E6a4d74
- 0.6505 HT
- 24,975 ELA
Elastos: 0x93c3A8051b8ba814eB5FB22d655681720E6a4d74
- 21,713.1623 ELA
Elastos Smart Chain: 0x4a9a0cC103199F67730bdC61337d192788858874
- 18.9021 ELA
- 0.6 ETH
BNB Chain: 0x93c3A8051b8ba814eB5FB22d655681720E6a4d74
- 0.1286 BNB
The root cause of this issue is that the protocol does not handle flashloans of ERC677 tokens properly.
Attack analysis
Attacker address: 0x4a9a0cC103199F67730bdC61337d192788858874
Money Laundering address: 0x93c3A8051b8ba814eB5FB22d655681720E6a4d74
Attacker contract: 0x00Ff915E663F4037D18B0C83575Ac8f3D4D05BC3
Below is the attack path:
- The underlying token is borrowed via a flashloan.
- The borrowed token is then deposited into the protocol via the callback function, which is controlled by the attacker. Lots of extra f tokens are minted at this step.
- The borrowed token is returned to the protocol via a flashloan callback, but lots of fTokens are left to the attacker.
- Most of the cash in the lending pool is redeemed.
FilDA on other chains is not affected since the issue is only related to ERC677 tokens and such types of tokens are only supported by FilDA on ESC.
Attacker information and bounty:
- We are putting out a $100K bounty for the first person or team that helps return the funds.
- Please do not doxx the attacker in the process.
We strongly advise focusing all efforts on ensuring that user funds are successfully returned.
Steps taken
- All deposits and borrowing are suspended. Bridges to/from ESC are currently suspended. We are proposing to use HECO DAO and Elastos DAO to help track the lost funds.
- The root cause has been identified by the dev team and Slowmist. A post-mortem will be released soon. We are discussing potential plans to reopen the market on ESC following consultation with our security partners and the community.
- Losses and affected users are being counted. A remediation plan is being drafted.
- In order to avoid further losses, we will suspend interest calculation and will not carry out additional liquidation of high-debt assets. We plan to suspend all operations of FilDA (including withdrawal and repayment) for snapshot at 5:00 AM UTC on April 15th. After the information and data is processed, and security confirmed, the platform will be able to gradually return to normal. We are aiming for this to be as soon as possible.
