Project name: FilDA
Project type: Lending
Date of exploit: April 22, 2023
Asset loss: $700K
Vulnerability: Exchange rate manipulation
Date of audit report publishing: June 1, 2021
Conclusion: Out of audit scope
FilDA provides a lending protocol where users can deposit token as collateral then borrow tokens.
The exchange rate is calculated by exchangeRate = (Cash + totalBorrows - totalReserves)/totalSupply. The attacker manipulated the exchange rate by donating a large amount of htHBTC tokens to the contract. Since Cash in the above formula is the amount of htHBTC that the Filda htHBTC contract has, the exploiter donates a large amount of htHBTC to inflate the exchangeRate. As a result, the attacker can borrow more than its collaterals from the pool.
On April 22, 2023, FilDA Finance was attacked, leading to a loss of around $700K. The attacker manipulated the exchange rate in the lending pool and drained funds from it. CertiK has audited the FilDA’s Flashloan contracts. However, the vulnerability lies in the lending pool contract, which is a new product that is not within CertiK's audit scope.
FilDA exploit statement: https://fildafinance.medium.com/filda-exploit-statement-49ec69e34c53