Elephant Money, a stable coin platform that uses the TRUNK token became a victim of the flash loan attack, which manipulated a token price oracle leading to a loss of $22.2 million:
We are pausing the Reserve which will disable Stampede and the minting/redeeming of TRUNK.
We are working with our partners at Certik /InsurAce to investigate this attack.
ACTION YOU SHOULD TAKE
– DO NOT SELL
– DO NOT ANSWER DMS
– YOUR FUNDS ARE SAFUhttps://t.co/h6Cnz1ANw6 pic.twitter.com/zoSC3qofIO
— Elephant Money (@ElephantStatus) April 12, 2022
In the official post-mortem, Elephant Money stated a loss of $11.2m, not taking into account that 30,414 billion $ELEPHANT tokens were also stolen which sums the total losses to the above values:
Reserve Exploit: Live Updates
We are investigating a coordinated exploit by several bad actors in the space against the HERD.medium.com
Elephant Money Stable (TRUNK) is partially collateralized by BUSD at 75% guaranteed. TRUNK passively hardens its collateralization ratio of the remaining 25% on the dollar as the Elephant Money ecosystem grows. So, what was done by the attacker exactly to turn the attack?
The attacker exploited the $TRUNK token’s redeem mechanism, modified the price oracle to enable token return, and stole ELEPHANT from the unverified Treasury contract.
The attacker’s address was initially funded via Tornado Cash:
https://bscscan.com/tx/0xf678370cf3ee8d5df5ae319577b46bf3834ec6ffb44f2c1ebe86ed702b0b22a2
At first, using the flash loan, the attacker borrowed 131,162 WBNB and 91,035,000 BUSD The attacker then exchanged the 131,162 WBNB for 34,244 ELEPHANT Token.
The example transaction:
https://bscscan.com/tx/0xec317deb2f3efdc1dbf7ed5d3902cdf2c33ae512151646383a8cf8cbcd3d4577
In order to mint new TRUNK tokens, BUSD should be deposited in the minting contract. Once the contract receives BUSD, it swaps them to WBNB which in turn uses to buy back ELEPHANT tokens and increase their market value.
Since the attacker received ELEPHANT tokens with increased market value, he swaps them back to WBNB, resulting in 34,244 ELEPHANT exchanged on 163,782.82 WBNB
In the next step, the attacker redeems TRUNK for 36,987.33 WBNB and 66,884,140.12 BUSD. After repaying the flash loans of 131,162 WBNB and 91,035,000 BUSD, a profit of $4M was realized by the attacker.
The attack proceeded by making several cycles of the same actions.
Stolen funds were distributed between a bunch of external addresses. The whole picture was tracked by PeckShield:
The list of addresses where the funds were sent and now lies there:
At the time of writing, the TRUNK stablecoin price is recovered.
In the post-mortem, the team stated: “Strategic buyback of TRUNK has begun to fund the upcoming TRUNK Treasury. $391K of TRUNK has been purchased to date by the ELEPHANT Deployer:
https://bscscan.com/address/0x16e76819ac1f0dfbecc48dfe93b198830e0c85eb#tokentxns “
This attack shows how the asset peg tokens still have many vulnerabilities and are subject to various manipulations, which affect both protocols and their users.
The question arises as to their usefulness to the ecosystem in general and what benefits they can bring using such a vulnerable model, other than short-term returns with high investment risk. However, “apeing” has always been fun.
As always, stay safe and DYOR!
For more De.Fi updates you can visit us at:
🌐 **Website | 📱 [Telegram](https://t.me/DeDotFi** | 🐦**Twitter**
Don’t miss our latest Rekt stories:
Over $20m lost in early March: DeFi Rekt Stories
$20M Lost??? 13 REKT cases investigated: Early March recap!blog.de.fi
376M Lost in February: REKT Investigation
At the end of this month, our specialists counted a whopping 22 Rekt cases with a total amount loss of more than…blog.de.fi
Wormhole exploit: the second-largest DeFi hack ever
2nd place on the Rekt Databaseblog.de.fi
April 18 • 4 minutes
As an investor in DeFi, keeping track of digital assets across various platforms and blockchains can be a daunting task.
April 5 • 8 minutes
As the crypto bull market heats up, more investors seek to navigate the burgeoning world of decentralized finance (DeFi).
March 8 • 20 minutes
When engaging with decentralized finance (DeFi), investors often face the challenge of managing investments, tracking yields, and ensuring they keep all their assets safe.
February 15 • 15 minutes
January 2024 was an incredibly important month for us. We achieved significant results and made remarkable progress.
February 6 • 4 minutes
With new crypto ecosystems popping up on a regular basis, the integration of different blockchain networks with popular wallets is a key narrative moving into the next crypto cycle.
January 26 • 6 minutes
This month, we are proud to announce that De.Fi has secured investments from the first BTC ETF provider. We're seeing a huge spike in mentions and social interest in De.Fi and $DEFI token right before the listing.
January 18 • 6 minutes
© De.Fi. All rights reserved.
