Solana Based Algorithm Stablecoin Protocol Nirvana Attacked by Flashloan, Losing Over $3.57 Million

The Solana based algorithmic stablecoin protocol Nirvana was exploited via a flashloan attack, losing more than $3.57 million, according to a tweet from SlowMist. By deploying the malicious contract, the attacker uses the lightning loan to borrow 10.25M $USDC from Solend, then calls the Nirvana contract buy3 method to buy a large amount of $ANA, then calls the Nirvana contract Swap method to sell some of the $ANA, getting $USDT and $USDC, and after returning the flashloan the remaining approximately $3.57M $USDC. The funds have been swapped to $DAI via 1inch Network and remain at the current address. The Nirvana source code is not completely open, and according to on-chain call log analysis, the scammer may have taken advantage of a vulnerability in the ANA price calculation to arbitrage. According to TokenInsight data, $ANA price dropped 77.08% in the past 24 hours and is now at $1.9813.