Elephant Money, a stable coin platform that uses the TRUNK token became a victim of the flash loan attack, which manipulated a token price oracle leading to a loss of $22.2 million:
We are pausing the Reserve which will disable Stampede and the minting/redeeming of TRUNK.
We are working with our partners at Certik /InsurAce to investigate this attack.
ACTION YOU SHOULD TAKE
– DO NOT SELL
– DO NOT ANSWER DMS
– YOUR FUNDS ARE SAFUhttps://t.co/h6Cnz1ANw6 pic.twitter.com/zoSC3qofIO
— Elephant Money (@ElephantStatus) April 12, 2022
In the official post-mortem, Elephant Money stated a loss of $11.2m, not taking into account that 30,414 billion $ELEPHANT tokens were also stolen which sums the total losses to the above values:
Reserve Exploit: Live Updates
We are investigating a coordinated exploit by several bad actors in the space against the HERD.medium.com
Elephant Money Stable (TRUNK) is partially collateralized by BUSD at 75% guaranteed. TRUNK passively hardens its collateralization ratio of the remaining 25% on the dollar as the Elephant Money ecosystem grows. So, what was done by the attacker exactly to turn the attack?
The attacker exploited the $TRUNK token’s redeem mechanism, modified the price oracle to enable token return, and stole ELEPHANT from the unverified Treasury contract.
The attacker’s address was initially funded via Tornado Cash:
https://bscscan.com/tx/0xf678370cf3ee8d5df5ae319577b46bf3834ec6ffb44f2c1ebe86ed702b0b22a2
At first, using the flash loan, the attacker borrowed 131,162 WBNB and 91,035,000 BUSD The attacker then exchanged the 131,162 WBNB for 34,244 ELEPHANT Token.
The example transaction:
https://bscscan.com/tx/0xec317deb2f3efdc1dbf7ed5d3902cdf2c33ae512151646383a8cf8cbcd3d4577
In order to mint new TRUNK tokens, BUSD should be deposited in the minting contract. Once the contract receives BUSD, it swaps them to WBNB which in turn uses to buy back ELEPHANT tokens and increase their market value.
Since the attacker received ELEPHANT tokens with increased market value, he swaps them back to WBNB, resulting in 34,244 ELEPHANT exchanged on 163,782.82 WBNB
In the next step, the attacker redeems TRUNK for 36,987.33 WBNB and 66,884,140.12 BUSD. After repaying the flash loans of 131,162 WBNB and 91,035,000 BUSD, a profit of $4M was realized by the attacker.
The attack proceeded by making several cycles of the same actions.
Stolen funds were distributed between a bunch of external addresses. The whole picture was tracked by PeckShield:
The list of addresses where the funds were sent and now lies there:
At the time of writing, the TRUNK stablecoin price is recovered.
In the post-mortem, the team stated: “Strategic buyback of TRUNK has begun to fund the upcoming TRUNK Treasury. $391K of TRUNK has been purchased to date by the ELEPHANT Deployer:
https://bscscan.com/address/0x16e76819ac1f0dfbecc48dfe93b198830e0c85eb#tokentxns “
This attack shows how the asset peg tokens still have many vulnerabilities and are subject to various manipulations, which affect both protocols and their users.
The question arises as to their usefulness to the ecosystem in general and what benefits they can bring using such a vulnerable model, other than short-term returns with high investment risk. However, “apeing” has always been fun.
As always, stay safe and DYOR!
For more De.Fi updates you can visit us at:
🌐 **Website | 📱 [Telegram](https://t.me/DeDotFi** | 🐦**Twitter**
Don’t miss our latest Rekt stories:
Over $20m lost in early March: DeFi Rekt Stories
$20M Lost??? 13 REKT cases investigated: Early March recap!blog.de.fi
376M Lost in February: REKT Investigation
At the end of this month, our specialists counted a whopping 22 Rekt cases with a total amount loss of more than…blog.de.fi
Wormhole exploit: the second-largest DeFi hack ever
2nd place on the Rekt Databaseblog.de.fi
April 18 • 4 minutes
The first weeks of November were action-packed as we...
November 15 • 3 minutes
As October draws to a close, we take a look back at...
October 31 • 4 minutes
With a large prize pool of $50,000...
October 22 • 5 minutes
As we move further into October, we’re excited to...
October 21 • 4 minutes
Fundamental analysis is an essential part of life for anyone navigating the digital currency market. For years, CoinGecko has been a reputable place for this, known for its rich data and user-friendly interface. Until recently, it has been unrivaled in terms of convenience.
October 16 • 9 minutes
Managing assets across multiple wallets and blockchains can quickly become overwhelming in the fast-evolving world of crypto. Whether you’re an investor, trader, or DeFi enthusiast, you likely hold assets across various chains, platforms, and wallets. This is where effective crypto wallet tracking becomes essential.
October 8 • 10 minutes
© De.Fi. All rights reserved.
