On 29 May 2022, Novo Defi’s token, Novo, was exploited via a flash loan attack. The incident caused a loss of ~278 BNB (or around $83K).
The attacker exploited a vulnerability in their contract’s transferFrom() function and which allowed the attacker to manipulate the token price in the PancakeSwap pair.
Novo Defi relaunched on 21 July 2022 and set about recovering but had another set back on October 11 after they were exploited for ~$16k while making an update to their reward program.
Novo Defi is a decentralized and deflationary volume-based cryptocurrency protocol that operates on the Binance Smart Chain. Novo utilises their deflationary NOVO token which provides users with staking rewards.
On 29 May 2022, an attacker exploiter a vulnerability in Novo’s transferFrom() function. The vulnerability allowed the attacker to manipulate the price of NOVO and drain the liquidity pool of 278 BNB via a flash loan.
After a 6 week absence, on 21 July 2022, Novo announced on their Twitter page that they were back with V2 of their contract which was more secure. Unfortunately, during a routine code update an untested function was pushed to mainnet. When this function was called, it opened up an arbitrage opportunity which was exploited by a bot that was monitoring the mempool for such situations. The bot was able to execute a transaction within the same block as Novo calling the untested function and made $16k from the arbitrage trade.
Here we break down the exploit transactions and see how the attackers were able to drain funds worth $83k and $16k respectively, at the time of exploit, from Novo.
May 29, 2022__text in bold__
__October 11, 2022 __
__May 29, 2022 __
2.The attacker then drained the NOVO supply in the PancakeSwap pool, through a vulnerable transferFrom() function, and transferred out 113,951,614 NOVO.
This transaction also triggered _taketreasury() and addLiquidity()
The flash loan was completed by repaying the 17.2 WBNB loan leaving the attacker with 248 WBNB
The attacker conducted the exploit a second time and gained another 30 BNB after borrowing and repaying 17.2 WBNB
May 29, 2022
In the Novo contract a vital check had been left commented out. The commented out code would have checked that the amount a sender wanted to send did not exceed the allowance. This would have prevented the exploit.
October 11, 2022
In the Novo Discord channel, it was stated that a new function had made it on to the mainnet before it had been tested. The new function that was added to their smart contract was an update to their reward scheme that would allow users to see rewards in real time. When they called the function in a live environment, it opened up an arbitrage opportunity which was taken advantage of.
The attacker took 278 BNB during this incident which was sent to a separate EOA 0x0376 during the flash loan transactions. The attacker then sent all the funds to Tornado Cash, an online mixer which obfuscates transaction tracing.
These 2 incidents involving Novo show just how devastating even smaller exploits can be and the importance of having audited contracts. Particularly with the exploit on 11 October where a bot has been able to detect an arbitrage opportunity. As everyone is able to see transactions in the mempool before they are executed you can be exploited within the same block.
According to Novo’s Discord channel, they are now in the process of deciding the future of the project. This is an example of why a project lifecycle security mindset is necessary at all stages of a projects conception to deployment and beyond. Rigorous testing, before and after a deployment and on test-nets is needed to help reduce failure.