Major DeFi Protocol Suffers $42M Flash Loan Exploit

Timeline

• T+0: Flash loan of 80M USDC initiated
• T+1 block: reward calculation called recursively, double-counting balance
• T+5 blocks: attacker withdraws $42M in stables
• T+12 blocks: circuit breaker triggered by anomalous TVL drop

What's known

The protocol has paused new deposits. Stolen funds were sent to Tornado Cash. The team has engaged Chainalysis and posted an on-chain bounty.

ONPROOF context

This protocol has not been on our review list — it failed methodology eligibility (no audit). For tokens we have reviewed, our F category (Audit & Security) penalizes unaudited reward logic specifically.