CertiK Logo
CertiK Logo
Products
Blogs
Company
incident-response

Products & Technology

Featured Ecosystems

Company

English
Back to all stories
Blogs
Incident Analysis
Lending Rate Manipulation: Investigating the FilDA Finance Attack
1/8/2024
Lending Rate Manipulation: Investigating the FilDA Finance Attack

Project name: FilDA

Project type: Lending

Date of exploit: April 22, 2023

Asset loss: $700K

Vulnerability: Exchange rate manipulation

Date of audit report publishing: June 1, 2021

Conclusion: Out of audit scope

Details of the Exploit

Background

FilDA provides a lending protocol where users can deposit token as collateral then borrow tokens.

Nature of the Vulnerability

The exchange rate is calculated by exchangeRate = (Cash + totalBorrows - totalReserves)/totalSupply. The attacker manipulated the exchange rate by donating a large amount of htHBTC tokens to the contract. Since Cash in the above formula is the amount of htHBTC that the Filda htHBTC contract has, the exploiter donates a large amount of htHBTC to inflate the exchangeRate. As a result, the attacker can borrow more than its collaterals from the pool.

CertiK Audit Overview

Screenshot 2024-01-08 at 5.28.30 AM

Conclusion

On April 22, 2023, FilDA Finance was attacked, leading to a loss of around $700K. The attacker manipulated the exchange rate in the lending pool and drained funds from it. CertiK has audited the FilDA’s Flashloan contracts. However, the vulnerability lies in the lending pool contract, which is a new product that is not within CertiK's audit scope.

References

FilDA exploit statement: https://fildafinance.medium.com/filda-exploit-statement-49ec69e34c53

Related Stories
What is FinCEN and Why Does It Matter?
Blogs
Ecosystem
New
The Financial Crimes Enforcement Network (FinCEN) is a bureau of the United States Department of the Treasury, established to guard against and investigate money laundering, terrorism financing, and other financial crimes.
4/15/2024
Prisma Finance Incident Analysis
Blogs
Incident Analysis
On 28 March, Prisma Finance was exploited by multiple addresses leading to a loss of approximately $12.3 million. Three attackers took advantage of a vulnerability in the Prisma Finance MigrateTroveZap contract which allowed them to manipulate a migration process. Since the exploit occurred, a wallet that received funds from the main exploiter has reached out to the Prisma Finance deployer declaring that their actions were a white hat rescue.
3/29/2024
MangoFarmSOL Exit Scam
Blogs
Incident Analysis
On 6th January 2024, the MangoFarmSOL project conducted an exit scam leading to losses estimated around ~$1.32 million which is the largest exit scam that we have investigated in 2024 so far.
2/22/2024
CertiK Logo
SOC
© 2024 by CertiK. All Rights Reserved.
Products & Technology
Smart Contract AuditSkynetSecurity ScoreKYCPenetration TestingBug BountyFormal VerificationAdvisory ServicesSkyHarborSkyInsights
Company
AboutVenturesBlogCareersDisclaimerPrivacy PolicyCookie PolicyTerms and ConditionsTrust and Security
Social Media
CertiKSecurity LeaderboardCertiK AlertTelegramYoutube
MediumLinkedIn
Wechat
Discord
MediumLinkedIn
Wechat
Discord
© 2024 by CertiK. All Rights Reserved.
;