Hackers steal more than $11 million from Elephant Money DeFi platform
Elephant Money, the decentralized finance (DeFi) protocol behind the ELEPHANT token and the TRUNK stablecoin, announced this week that hackers stole $11.2 million worth of Binance Coin.
The company said it was facing an “automated attack” against its treasury and in a Medium post, their founder said they are working with their partners – blockchain security company CertiK and DeFi insurance protocol InsurAce – to address the issue.
“It took a significant amount of capital to bust through the system’s defenses. Over $261M in volume,” the founder said.
“Every time bad actors win it hurts the entire space. There are prominent teams that were aware of weaknesses and stood by and did nothing at your expense. Even after I and other community members asked them to disclose.”
BlocSec said the hackers used a price manipulation attack to exploit the platform. They borrowed wrapped Binance Coin through a flash loan and traded it for thousands of ELEPHANT Tokens.
The attackers minted TRUNK stablecoins, raising the price of ELEPHANT tokens. They eventually traded in ELEPHANT and TRUNK tokens for Binance Coin and Binance’s US Dollar stablecoin BUSD.
“Since the token value after the attack is more than the cost, the attacker can get around $4 million profit in one round of the attack,” BlocSec said, noting that the attacker simply repeated this process to steal more funds.
Elephant Money said its BUSD treasury has been tapped to rebuild the ELEPHANT Treasury and that a patch for the vulnerability is being worked on.
They urged users not to sell their ELEPHANT tokens, claiming those who do will “realize unnecessary losses.”
“Elephant Money has defended against all manner of attacks since its inception a year ago,” the founder said. “This exploit got through and its delivery was planned and timed.”
The price of ELEPHANT has tanked since the attack, dropping more than 76%, according to Binance.
Blockchain analysis firm Chainalysis said at least $2.2 billion was stolen from DeFi protocols in 2021. Two weeks ago, the Ronin Network announced that hackers stole more than $600 million worth of cryptocurrency, making it one of the largest attacks ever.