Solana-based algorithmic stablecoin NIRV has become the latest stablecoin to fail after dropping 85% from its United States dollar peg following a hack on adaptive yield protocol Nirvana Finance on Wednesday. The flash loan attack, which also saw Nirvana Finance’s native token ANA drop by 85%, resulted in the loss of $3.49 million worth of Tether (USDT), with the SolanaFM team being the first to confirm that the funds were siphoned via a flash loan attack on Wednesday.
[Quarmby, B. Solana-based stablecoin NIRV drops 85% following $3.5M exploit. (Accessed July 29, 2022)].
The liquidity issues created by virtue of the hack are exposing Nirvana to devastating consequences. “The price of the protocol’s native ANA token fell over 80% in the past few hours, while its NIRV stablecoin lost its peg to the U.S. dollar and dropped to 8 cents […] The total value locked (TVL) on Nirvana fell to 7 cents in European morning hours following the attack. Its entire liquidity pool was effectively drained, data from DeFi Llama shows” [Malwa, S. Solana DeFi Protocol Nirvana Drained of Liquidity After Flash Loan Exploit. (Accessed July 29, 2022)].
Flash loans are a popular way for attackers to gain the funds to conduct exploits on decentralized finance (DeFi) systems. In April, the Beanstalk stablecoin protocol was drained of $182 million, and last month more than $1.2 million was taken from Inverse Finance. The loans allow traders to borrow unsecured funds from lenders using smart contracts instead of third parties. They do not require any collateral because the contract considers the transaction complete only when the borrower repays the lender. This means a borrower defaulting on a flash loan would cause the smart contract to cancel the transaction and the money would be returned to the lender.
[Id].
So, what exactly happened with this hack of Nirvana?
According to information from the Nirvana hacker’s account, the attacker stole $10 million of worth USDC from the main pool vault. Hacker used flash loans provided by Solend Protocol, a lending network based on the Solana blockchain. They then went on to mint $10 million worth of ANA using the money from the quick loan. The hacker boosted ANA price from $8 to $24 and converted it into USDC and USDT at this higher cost. It authorizes them to withdraw $3.5 million USDT from Nirvana’s accounts. When they tricked Nirvana’s treasury into believing the 10 million USDC inflows were genuine, they released all of the liquidity in the treasury. They then transferred 10.25 million USDC to Solend due to the hack. Later, hackers transferred the stolen funds to the Ethereum network using Wormhole.
[Ali, B. DeFi Hack – Solana-Based Lender Nirvana Finance Loses $3.5 Million. (Accessed July 29, 2022)
“The Nirvana team is now offering the hacker a whitehat bounty of $300,000 and a “cessation” of the investigation into their identity. So far, they revealed that the hacker’s wallet tied to a centralized exchange has been flagged” [Quarmby, supra].
In a series of tweets, Nirvana wrote:
.png)
.png)
“The attacker address – 0xB9AE2624Ab08661F010185d72Dd506E199E67C09 – currently holds over $3.5 million worth of DAI, blockchain data shows.
Nirvana’s trading functions were suspended by developers following the attack, as per messages by admins on the protocol’s Telegram channel” [Malwa, supra].
According to OtterSec, a blockchain audit platform, the attack on Nirvana was similar to the $10 Million attack on Crema Finance earlier in July, 2022; [see, Nagoda, K. Following Hack, Crema Finance Makes Out Much Better Than Harmony - Recovers $8 Million. (Accessed July 29, 2022)].
The algorithmically collateralized NIRV is unironically described by the protocol as a ‘superstable’ token. According to an explanatory thread on Solana Forums, the asset is backed by a network of stablecoins in Nirvana’s reserves via a ‘decentralized peg delegation.’ NIRV is always treated as $1 from the protocol’s point-of-view. […] In this instance, it appears that NIRV was depegged as a direct result of $3.49 million worth of USDT being stolen from Nirvana’s coffers. It marks yet another algo-stablecoin that has been severely depegged in 2022. Beanstalk Farm’s algorithmic stablecoin is sitting at $0.0022 after the protocol was hacked for $182 million in April. Terra’s first variation of its algo-stablecoin TerraUSD Classic (USTC) also famously imploded following a death spiral that resulted in $40 billion being wiped from the market in May.
[Quarmby, supra]
