HealthCareInfoSecurity.com reported that “An attacker stole $1.25 million worth of cryptocurrency from newly established decentralized finance protocol New Free DAO in a flash loan attack on Thursday. The thief has cashed out nearly half of the stolen funds so far.” The September 9, 2022 report entitled “$1.3 Million Stolen From New Free Dao in Flash Loan Attack” (https://www.healthcareinfosecurity.com/13-million-stolen-from-new-free-dao-in-
flash-loan-attack-a-20037 ) included these comments:
New Free DAO was established less than two weeks ago but had accumulated enough money to permit huge losses once exploited, says Ronghui Gu, CEO and co-founder of blockchain security company CertiK.
“This attack demonstrates that threat actors are actively searching for vulnerabilities in newly created tokens and even looking at unverified code on Etherscan – or it was an inside job,” he tells Information Security Media Group.
The attacker exploited a vulnerability on an unverified rewards smart contract on the BSC blockchain to carry out the attack, CertiK says in a blog post detailing the incident. The attacker first deployed a malicious contract, made themselves a member of the contract and executed functions that resulted in the contract erroneously releasing funds that did not belong to the attacker.
No surprise that DAOs are vulnerable!