Decentralized finance (DeFi) protocol Impossible Finance has lost as much as $500,000 in user funds during a flash loan attack today. The attack on Impossible Finance’s liquidity pool occurred at around 4:40 AM UTC on June 21 and resulted in a loss of 229.84 ETH (about $0.5 million at the time).
Mudit Gupta, a core developer of SushiSwap, said it was the same type of vulnerability that was exploited in a recent $7.2 million attack on BurgerSwap, another protocol built on the Binance Smart Chain (BSC).
Similar to that incident in May, the hacker launched a flash loan attack to drain Impossible Finance’s liquidity pool with the help of a fake token.
Impossible finance got exploited today for $500k.https://t.co/mzCPRluOjn
Same exploit as the burger swap one:https://t.co/3PkVtn7Hi7
If the original project gets hacked, why don’t the forks react?
— Mudit Gupta (@Mudit__Gupta) June 21, 2021
A flash loan attack is an exploit wherein a hacker takes an uncollateralized loan from a lending protocol and manipulates the market in their favor via a series of technical tricks.
Binance CEO CZ Defends Binance Smart Chain’s Ethereum Copycats
Security firm WatchPlug said that the hacker used a vulnerability in the liquidity pool’s smart contract to perform multiple swaps of IF, Impossible Finance’s native token, to BUSD and then to BNB to repay the flash loan.
The unusual thing, however, is that the swaps were made “in a row at about the same price,” which is “usually impossible” because of the slippage.
At 4 AM UTC, Jun 21, $0.5M was stolen from Impossible Finance.
The hacker made multiple swaps in a row at about the same price and drained the LP, which is usually impossible.
How does Impossible Finance make the impossible possible?
Read our analysis:https://t.co/3r0p1dOFWz
— WatchPug (@WatchPug_) June 21, 2021
Other notable victims of flash loan attacks on the Binance Smart Chain include PancakeBunny, which lost as much as $45 million in customer funds, and BeltFinance, which was exploited for $6.2 million.
The team behind the Impossible Finance protocol confirmed the news on Telegram and assured that it would compensate all funds deposited into liquidity pools prior to the attack.
Currently, all liquidity pool rewards are paused, while users are urged not to add or withdraw funds for IF/BUSD and IF/BNB pairs. The team said it is working with PeckShield, WatchPlug, and “other community whitehats to investigate the situation and will have a detailed event report.”
The attack on Impossible Finance happened less than three weeks after the protocol had raised $7 million in a seed round co-led by True Ventures, CMS Holdings, Alameda Research, and Hashed.
The project was initially built on the Binance Smart Chain but allegedly plans to expand its functionality to Ethereum and Polygon.