Whitehat Daniel Von Fange reported that EFLeverVault, linked to Earning.Farm, has been hacked for 750 ETH. 480 Ethers ended up in an MEV bot, while 268 Ethers were withdrawn by hackers.

The vision of Earning.Farm is to provide user-friendly investment tools for mass population to enjoy the innovation of DEFI.

The hack happened because the contract did not verify that flashloan callbacks where actually initiated by the protocol, allowing the attacker to tell the protocol to withdraw large amounts of funds. The EFLeverVault handles withdraws by making a flash loan to itself for that amount, when it receives the flash loan, it withdraws that amount of funds, and leaves it in eth on the contract. After the flash loan is over, the contracts sends all ETH on the contract to user. The attacker exploited this by making a tiny deposit, then a huge outside flashloan, causing the protocol to make a large withdraw to eth to itself. The attacker then withdrew their small amount of eth, and the protocol sent both the small and the large amount it had to them. Essentially the exploiter was able to directly invoke the Flashloan and designate EFLeverVault as the recipient, this bypasses Withdraw's limit on the amount of the Flashloan and allowing himself to be the recipient.

Funds were sent to Tornado.cash.