Nirvana Finance is a Solana-based DeFi protocol with an algorithmic stablecoin.
What happened
On July 28, 2022, it ran into liquidity issues due to a flash loan attack where an attacker drained approximately $3.5M from the liquidity pool. The protocol is closed source and underwent only an automated audit before the exploit. A manual human audit is still being scheduled as of the time of writing (January 2023).
Exploit Details
The attacker used a flash loan from a lending protocol Solend, borrowed 10M USDC, and used it to mint over $10M worth of Nirvana’s ANA token. Afterwards, he swapped the ANA tokens to USDT stablecoins and received 13.49M USDT. Finally, he returned the borrowed 10M from Solend, which resulted in a $3.49M profit.
Based on the technical post-mortem analysis from the Nirvana Finance team, the attacker was able to manipulate the inputs to the program and buy the ANA token at an artificially low price.
In simple words, very much like in case with Solend, it was a combination of a market manipulation with some hacking: first he artificially lowered the price to buy himself ANAs and by doing so, the exploiter pushed the price upwards and made a profit from the spread.
Reference
