Solana-based algorithmic stablecoin NIRV has become the latest stablecoin to fail, after dropping 85% from its dollar peg following a hack on adaptive yield protocol Nirvana Finance on Wednesday.
The flash loan attack, which also saw Nirvana Finance’s native token ANA drop by 85%, resulted in the loss of $3.49 million worth of Tether (USDT), with the SolanaFM team being the first to confirm that the funds were siphoned via a flash loan attack on July 27:
“Utilizing Solend Protocol’s Flash Loans, the hacker borrowed $10M USDC from the Solend Main Pool Vault which was used to exploit $3.49M USDT from the Nirvana Finance Treasury.”
At the time of writing, both NIRV and ANA are down roughly 85% to $0.14 and $1.33 apiece. On Nirvana’s website, it confirms that the protocol was “maliciously hacked and reserve funds are stolen. NIRV and ANA have lost their collateral, and do not have secured market value.”
What we know so far:
Nirvana has been maliciously hacked and the reserves have been stolen.
A flashloan attack was used to steal money. This is not the fault of Solend, but an exploit of Nirvana’s program.https://t.co/NkmtHAbAAa
— Nirvana Finance (@nirvana_fi) July 28, 2022
The Nirvana team is now offering the hacker a whitehat bounty of $300,000 and a “cessation” of the investigation into their identity. So far they revealed that the hacker’s wallet tied to a centralized exchange has been flagged.
“Please accept this good faith request and return our treasury for the good of the whole Nirvana community. You have not taken money from VCs or large funds—the treasury you have taken represents the collective hopes of everyday people,” it wrote.
To The Nirvana Hacker:
On behalf of the Nirvana Finance community, we humbly ask that you return the stolen funds from our treasury. 1/5
— Nirvana Finance (@nirvana_fi) July 28, 2022
Another algo bites the dust
The algorithmically collateralized NIRV is unironically described by the protocol as a “superstable” token. According to an explanatory thread on Solana Forums, the asset is backed by a network of stablecoins in Nirvana’s reserves via a “decentralized peg delegation.”
“NIRV is always treated as $1 from the protocol’s point-of-view. This dollar value is denominated in ANA tokens. For instance, if the spot price of ANA is $12, the protocol accepts 12 NIRV to purchase an ANA token.”
In this instance, it appears that NIRV was depegged as a direct result of $3.49 million worth of USDT being stolen from Nirvana’s coffers. It marks yet another algo-stablecoin that has been severely depegged in 2022. Beanstalk Farm’s algorithmic stablecoin is sitting at $0.0022 after the protocol was hacked for $182 million in April.
Terra’s first variation of its algo-stablecoin Terra USD also famously imploded following a death spiral that resulted in $40 billion being wiped from the market in May.
How it worked
According to blockchain audit platform OtterSec, a hacker used a program to artificially pump the price of ANA from $8 to $24 via the flash loan. They were then able to mint ANA against the flash loan at the inflated price, and subsequently exchanged the asset for $3.49 million worth of USDT which was drained directly from Nirvana’s treasury.
OtterSec noted that his hack shared similarities with the attack on Crema Finance worth $10 million earlier this month, in which the attacker took out a flash loan from the Solend decentralized finance (DeFi) protocol to inflate pricing data and raid the protocol.
2/ This hack beared many similarities to previous hacks. Similar to the @Crema_Finance hack, this too used Solend flashloans.
The attacker’s program was also uploaded on-chain and closed immediately afterwards. https://t.co/kgg7C2M2Gq pic.twitter.com/GJaAZlfJZD
— OtterSec (@osec_io) July 28, 2022
SolanaFM also noted that the hacker exited the attack by converting “the full USDT amount into USDCet, transferring the funds into an ETH account” via Wormhole’s cross-chain bridge.