reported that “An attacker stole $1.25 million worth of cryptocurrency from newly established decentralized finance protocol New Free DAO in a flash loan attack on Thursday. The thief has cashed out nearly half of the stolen funds so far.” The September 9, 2022 report entitled “$1.3 Million Stolen From New Free Dao in Flash Loan Attack” (
flash-loan-attack-a-20037 ) included these comments:

New Free DAO was established less than two weeks ago but had accumulated enough money to permit huge losses once exploited, says Ronghui Gu, CEO and co-founder of blockchain security company CertiK.

“This attack demonstrates that threat actors are actively searching for vulnerabilities in newly created tokens and even looking at unverified code on Etherscan – or it was an inside job,” he tells Information Security Media Group.

The attacker exploited a vulnerability on an unverified rewards smart contract on the BSC blockchain to carry out the attack, CertiK says in a blog post detailing the incident. The attacker first deployed a malicious contract, made themselves a member of the contract and executed functions that resulted in the contract erroneously releasing funds that did not belong to the attacker.

No surprise that DAOs are vulnerable!