Cyber Incident Victim: Flurry Finance
Date:
Feb 2022
Location:
United States of America
Summary
A decentralized finance platform suffered a $295,000 exploit when attackers manipulated its smart contracts to artificially inflate token balances through a flash loan attack. The hackers deployed malicious code to exploit a multiplier vulnerability in rhoToken balances, enabling illicit fund withdrawals before the platform halted transactions on Polygon and Binance Smart Chain. Blockchain security analysts detected the attack within minutes, attributing it to external dependencies in the protocol. The platform suspended its rebasing feature and token services during emergency upgrades to prevent further exploitation while conducting security reviews and preparing compensation plans.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Flurry Finance exploit occurred on February 22, 2022, when an attacker manipulated the decentralized finance platform’s smart contracts to withdraw approximately $295,000. The attacker deployed a malicious token contract and created a PancakeSwap liquidity pair between this token and Binance USD (BUSD). They then executed a flash loan from Rabbit Finance’s bank contract, triggering the StrategyLiquidate function within Flurry’s system. This function improperly decoded input data as the attacker’s newly created LP token address, initiating a rebase of all vaults and updating the balance multipliers for rhoTokens—Flurry’s yield-aggregating deposit tokens. Due to the ongoing flash loan, the bank contract’s temporary low balance caused the multiplier to drop artificially. After returning the flash loan, the attacker deposited tokens using the suppressed multiplier, artificially inflated the multiplier through a subsequent update, and withdrew funds at the higher valuation. CertiK, Flurry’s blockchain security auditor, detected anomalous activity within 15 minutes of the attack’s initiation and alerted Flurry after confirming malicious activity.
Flurry Finance responded by pausing all smart contracts on Polygon and Binance Smart Chain (BSC), halting further withdrawals. The platform identified the root cause as an exploit of external dependencies affecting the rhoToken multiplier mechanism. Between February 25 and March 1, Flurry announced upgrades to all smart contracts to eliminate the vulnerability, suspending rhoToken rebasing and related services during the remediation. The breach resulted in direct financial losses and operational disruption, though the stolen amount was comparatively small relative to other 2022 cryptocurrency heists like BitMart’s $150 million theft. Flurry committed to publishing a detailed incident report and compensation plan following comprehensive security reviews and contract redeployments. No user data compromise occurred, as the attack solely targeted smart contract logic governing token balances.