Over $1M in USDT and WETH stolen following NowSwap DEX hack

Key Takeaways

• Hackers steal over $1 million from Decentralized Exchange (DEX) protocol NowSwap.
• Attacks on DeFi platforms has increased in the recent months.
• NowSwap announced they have launched an investigation regarding the hack on the protocol.

YEREVAN (CoinChapter.com) — Decentralized Exchange Protocol (DEX) NowSwap became a victim of a cyber attack on Wednesday. 

According to blockchain security firm BlockSec, NowSwap was hacked and lost more than $1 million. In addition, the attackers allegedly stole 535,706 USDT and 158.28 WETH.

1/N @nowswap_org was hacked (https://t.co/8a71K811me). The total losses are around 158.28 WETH and 535,706 USDT. The attacker also hacked the Nimbus (https://t.co/DJKOT6Zob6), with a loss around 1.45 ETH.

— BlockSec (@BlockSecTeam) September 15, 2021

WETH is a wrapped form of Ethereum which allows ETH to be swap with other ERC-20 Tokens in a decentralized exchange (DEX).

BlockSec also informed that the Decentralized Applications (dApps) platform Nimbus also suffered a similar attack.

Recommended: PancakeSwap’s CAKE rallies 17.5% amid a $151 million worth token burning event.

Siphoning the millions of NowSwap

NowSwap is a decentralized exchange where users can swap virtually any asset peer-to-peer through the Ethereum smart contract infrastructure.

To successfully steal over 1 Million from the network, the hackers converted USDT to ETH through the decentralized exchange aggregator 1inch. After the conversion, they camouflaged it on the transaction-privacy platform Tornado Cash. 

To pull off a flash loan attack, the hackers used an invalid ‘K’ value check in the pair contract of NowSwap to attack the protocol.

After every transaction, the hacker used the loophole to get a partial return on the loan amount and repeated the process until the total funds in the attacked pool got over.

Indeed, the current implementation only enforces 1/10 of K! The hacker grabs 535K USDTs and 158 WETHs. The USDTs have been swapped into ETH via @1inch and then washed via @TornadoCash https://t.co/IFXySRn1kV

— PeckShield Inc. (@peckshield) September 15, 2021

Recommended: DeFi platform WonderFi Launches on the NEO exchange under Ticker WNDR.

NowSwap launches an investigation

After being notified of the hack by DeFi security experts, NowSwap announced today that they had launched an investigation.

“We are investigating the hack on our protocol,”

 NowSwap tweeted. 

We are investigating the hack on our protocol.

— NowSwap Protocol (@nowswap_org) September 16, 2021

Of late, the Decentralized Finance (DeFi) industry has become a target of regular hack attacks. 

DeFi lending protocol Cream Finance lost $18.8 million in assets to a flash loan attack at the end of August. That was the second time hackers had targetted the protocol this year.

The cross-chain Defi protocol PolyNetwork also became the victim of the largest Defi attack, losing over $oo million in the process. The attack happened on August 10. 

Recommended: OpenSea senior employee accused of insider trading

Enemy No 1 – loans without collateral 

As Decentralized Finance evolved, the market saw the introduction of one of DeFi’s most innovative yet controversial features: loans that do not require collateral.

This feature allows people to take loans for a specific transaction because the borrower will return the fund immediately after the transaction is complete. If the borrower does not return the fund immediately, the transaction gets canceled.

Attackers see this as a loophole and use this otherwise innovative feature to re-borrow assets in a series of transactions, siphoning off funds in the process.

It appears NowSwap has become a victim of a similar attack.

Although Decentralized Finance (DeFi) is disrupting the financial landscape, its security issues remain a major drawback.