Cyber Incident Victim: New Free DAO

On September 8, 2022, an attacker stole approximately $1.25 million worth of cryptocurrency from New Free DAO, a decentralized finance protocol established less than two weeks prior, through a flash loan exploit. The attacker deployed a malicious contract on the Binance Smart Chain blockchain, manipulated an unverified rewards smart contract by granting themselves membership status, and executed functions that triggered erroneous fund releases. This resulted in the theft of 343,323,371 NFD tokens, which were converted to 4,481 wrapped BNB tokens valued at $1.25 million at the time of the attack. The incident caused an immediate collapse in the value of New Free DAO’s native token $NFD, which plummeted over 99% within 24 hours and remained unrecovered the following day. Blockchain security firm CertiK confirmed the attacker also orchestrated a separate $297,000 flash loan attack on the $N3DR token, though the perpetrator’s identity remained unidentified.

The attacker transferred $111,544 of the stolen funds to Tornado Cash, a sanctioned cryptocurrency mixer, shortly after the theft. CertiK noted that recent U.S. Treasury sanctions on Tornado Cash might slow further laundering attempts, as transaction patterns could aid investigators in tracing redeemed funds. At the time of reporting, the attacker retained $1.13 million in their wallet. CertiK’s technical analysis emphasized that the exploit targeted vulnerabilities in unverified code, which hindered post-deployment vulnerability detection. The firm reiterated that New Free DAO’s rapid accumulation of funds prior to the attack made it susceptible to exploitation, though it did not confirm whether the breach resulted from insider activity or external reconnaissance of publicly visible code. The incident underscored operational risks for nascent DeFi projects and highlighted the persistent threat of flash loan attacks to Web3 ecosystems.