Warp Finance loses up to $8 million from Flash Loan Attack

On 17th December 2020, the Warp Finance protocol experienced a flash loan exploit due to a gameable oracle.

The attacker's account balance contained only 1 ETH which was funded by Tornado Cash.

The flash loan attack involved using multiple flash loan swaps from dYdX and UniswapV2, amounting to 2.9 million DAI and 344.8K WETH. Warp Finance relied on vulnerable token prices from Uniswap LP (Liquidity Provider), which allowed the attacker to siphon 7.8 million DAI from Warps vault by manipulating the price of the UniswapV2 pair WETH-DAI LP tokens.

The attacker deposited the dYdX flashloan to the UniswapV2 pair (WETH-DAI) and minted in return 94.349K LP tokens.

The minted tokens were then transferred to the Warp Vault Liquidity Pool as a collateral. The attacker then swapped 341,000 WETH for 47.6 million DAI, which made DAI expensive and doubled the LP token value to 135,470,392.

The attacker was then able to borrow 3.86M DAI and 3.9M USDC from Warp Finance, which valued at approximately $7.8 million in total and return the flashloans from dYdX and UniswapV2.

Warp Finance were able to recover 75%, is it "decentralised"?

Warp Finance were able to recover 5.85 million by transferring the adminstration rights of its smart contract to one of its externally owned addresses.

In order to revert affected users back to the position they were in prior to the attack, Warp Finance reported that they will be issuing IOU token to each users. This will potentially allow them to gain a profit on what they had at the time of the attack.

This raises some questions as to whether Warp Finance are in fact decentralised if they are able to control and liquidate user funds. Similar to SushiSwap, a Warp developer has a window of opportunity to act maliciously and liquate the said funds.

Warp Finance are yet to return the adminstration rights to its smart contract.