NewFreeDAO (NFD) Exploit — Stateless, Self-Resetting Reward Lets a Borrowed Balance Be Compounded 50×

Source & credit. Exploit reproduction, trace data, and analysis adapted from DeFiHackLabs by SunWeb3Sec — an open registry of reproduced on-chain exploits. Standalone Foundry PoC and full write-up: 2022-09-NewFreeDAO_exp in the evm-hack-registry mirror. Upstream DeFiHackLabs PoC: src/test/…/NewFreeDAO_exp.sol.

Vulnerability classes: vuln/logic/reward-calculation · vuln/logic/missing-check

Reproduction: the PoC compiles & runs in an isolated Foundry project at this project folder (the umbrella DeFiHackLabs repo contains many unrelated PoCs that do not whole-compile under forge test, so this one was extracted). Full verbose trace: output.txt. PoC source: test/NewFreeDAO_exp.sol. Verified third-party sources: NFD token, DODO DVM (flash-loan source), PancakeRouter. The vulnerable reward contract itself is unverified on-chain; the PoC embeds a Heimdall-style decompilation of it (test/NewFreeDAO_exp.sol:108-572).

Key info#

TL;DR#

The NewFreeDAO "reward" contract (0x8B06…1D1E) pays out NFD tokens proportional to the caller's current NFD balance, gated only by a "collection time" check that is keyed on a per-caller, never-meaningfully-initialized timestamp owner_d[caller]. The reward function 0x6811e3b9 (test/NewFreeDAO_exp.sol:270-297) is public, has no access control, and never verifies that the caller actually staked, locked, or held the NFD for any period of time. It simply reads balanceOf(caller) right now and pays ≈ 8.32% of it.

Because the gate is per-caller and a brand-new contract starts with owner_d[caller] == 0 (which the function then sets to the ancient base timestamp stor_6, making block.timestamp − owner_d enormous and the collection check trivially pass), the attacker:

1. Flash-borrows 250 WBNB from DODO and swaps it (WBNB→USDT→NFD) into 6,313,508.97 NFD.
2. Runs a 50-iteration loop. In each iteration it deploys a fresh Exploit contract, moves the entire NFD balance into it, calls the reward function once (collecting ≈ 8.32% of the moved balance as new NFD minted/paid from the reward reserve), then sweeps everything back.
3. The balance compounds: 6.31M × 1.0832^50 ≈ 343.32M NFD — a 54.38× inflation of the attacker's position, all funded out of the reward contract's NFD reserve.
4. Dumps all 343.32M NFD back through NFD→USDT→WBNB, repays the 250 WBNB flash loan, and walks away with +2,952.97 WBNB net.

No exchange-rate manipulation is needed. The reward contract literally hands out a fixed percentage of whatever you currently hold, and a fresh address always satisfies the "you waited long enough" check. The flash loan only supplies the seed principal — every reward beyond the seed is free money from the reserve.

Background — what NewFreeDAO is#

NewFreeDAO is a BSC "DeFi / DAO" token (NFD, 0x38C6…D4F9, an 8% fee-on-transfer reflection token — see NFD.sol) paired with a separate reward / dividend contract (0x8B06…1D1E). The reward contract is the actual victim: it is funded with NFD and pays NFD rewards to holders. Its bytecode is unverified on-chain, so the PoC works from a decompilation embedded as a block comment (test/NewFreeDAO_exp.sol:108-572). The decompilation exposes the reward storage model:

The reward function the attacker calls is selector 0x6811e3b9 (test/NewFreeDAO_exp.sol:270-297). Its decompiled body, condensed:

function 0x6811e3b9() public {                     // PUBLIC, no auth
    v1 = _isAirAddr.balanceOf(msg.sender);          // caller's CURRENT NFD balance
    require(v1 > 0, 'Amount can not be Zero');
    if (owner_d[msg.sender] <= 0) {
        owner_d[msg.sender] = stor_6;               // fresh caller → ancient base timestamp
    }
    v2 = _SafeDiv(stor_8, block.timestamp - owner_d[msg.sender]); // = stor_8 / elapsed
    require(v2 > 0, 'The collection time was not reached');
    v3 = 0;
    if (block.timestamp > stor_7) {                 // "warmup over" branch (taken here)
        if (v2 > 0) {
            v5 = stor_b * v1;                        // 0x3182 = SafeMath mul
            v3 = _SafeDiv(0xf4240, v5);              // = (stor_b * balance) / 1_000_000
        }
    } else if (v2 > 0) { ... }                       // time-scaled branch (not taken)
    _isAirAddr.transfer(msg.sender, v3);             // pay reward in NFD
    owner_d[msg.sender] = block.timestamp;           // mark collected — but on a THROWAWAY address
}

Note _SafeDiv(a, b) in this decompilation returns b / a (test/NewFreeDAO_exp.sol:164-180), so _SafeDiv(0xf4240, stor_b*v1) is (stor_b * balance) / 1_000_000 — i.e. reward = (stor_b / 1e6) · balanceOf(caller). The attack measures this constant directly from the trace as 8.32% (see accounting below).

The vulnerable code#

1. The reward is a flat percentage of current balance — no holding/lock requirement#

v1 = _isAirAddr.balanceOf(msg.sender);     // snapshot, not a staked/locked position
...
v5 = stor_b * v1;
v3 = (stor_b * v1) / 1_000_000;            // reward ≈ 8.32% of whatever you hold right now
_isAirAddr.transfer(msg.sender, v3);

There is no stake()/deposit() that records a principal, no lock period, no snapshot at an earlier block, no per-account accrual ledger. The "yield" is computed against a live, attacker-controlled balance that can be flash-loaned in and out within one transaction.

2. The only anti-abuse gate is a per-caller timestamp that a fresh address trivially passes#

if (owner_d[msg.sender] <= 0) {
    owner_d[msg.sender] = stor_6;          // fresh caller → ancient base timestamp
}
v2 = stor_8 / (block.timestamp - owner_d[msg.sender]);
require(v2 > 0, 'The collection time was not reached');

For a brand-new contract, owner_d[msg.sender] is 0, so it is set to stor_6 (a base timestamp set far in the past at deployment). block.timestamp − stor_6 is then a very large number, the division is positive, and the "collection time was not reached" guard passes immediately. The function does update owner_d[msg.sender] = block.timestamp at the end — but that write lands on a single-use Exploit contract that is never reused, so the rate limit is defeated by simply creating a new address each iteration.

3. The entry point is public#

Selector 0x6811e3b9 is dispatched with no onlyOwner/role check (test/NewFreeDAO_exp.sol:526-527); anyone can call it. (Contrast the owner-gated mirror function 0x76fc7ac2 (test/NewFreeDAO_exp.sol:305-334) which does the same payout for an arbitrary address — the permissionless variant is what gets abused.)

Root cause#

The reward contract conflates "how much you hold right now" with "how much you have earned the right to be paid for." Three design decisions compose into the bug:

1. Stateless principal. Reward is ≈ 8.32% × balanceOf(caller) evaluated at call time, against a spot balance, not a recorded/locked stake. A balance acquired one instruction earlier (via swap or flash loan) is treated identically to a long-held position.

2. Per-caller, externally-resettable rate limit. The "collection time" guard is keyed on owner_d[caller], which is 0 for any new address and gets initialized to an ancient base timestamp, so the guard is vacuous for fresh callers. The end-of-call write owner_d[caller] = block.timestamp is meant to enforce a cooldown, but it is bypassed by using a different caller (a freshly deployed contract) every time. The contract has no global rate limit and no notion of "this NFD was already farmed."

3. No reentrancy/atomicity guard against compounding. Because the reward is paid into the same balance that determines the next reward, repeatedly collecting on the growing balance compounds it geometrically (1.0832^50 ≈ 54.4×), all within a single atomic transaction funded by a flash loan that is repaid at the end.

The flash loan is not the vulnerability — it merely provides risk-free seed capital. Even without it, anyone holding NFD could farm the reserve; the flash loan just lets the attacker do it with zero of their own money and zero exposure.

Preconditions#

• The reward contract holds a large NFD reserve to pay out (it did — payouts of hundreds of thousands to tens of millions of NFD per call succeeded, see output.txt).
• _isAirAddr.balanceOf(caller) > 0 ('Amount can not be Zero') — satisfied by acquiring NFD.
• block.timestamp > stor_7 so the flat-rate branch is taken (true at the fork block).
• Each reward collection must come from a caller whose owner_d is still 0/ancient — satisfied by deploying a fresh Exploit contract per iteration (test/NewFreeDAO_exp.sol:70-75).
• Seed NFD to start the snowball — obtained by flash-borrowing 250 WBNB from DODO and swapping to NFD; fully repaid intra-transaction, so the attack is flash-loanable with no principal at risk.

Step-by-step attack walkthrough (with on-chain numbers from the trace)#

All figures are taken directly from the events/returns in output.txt. The seed swap routes WBNB→USDT (in the WBNB/USDT pair 0x16b9…0daE) then USDT→NFD (in the NFD/USDT pair 0x26C0…aeAf).

The compounding curve (selected iterations)#

The reward is a constant 8.32% of the moved balance each call; with the proceeds folded back in, the balance grows geometrically. Reward paid per iteration (NFD), from grep "from: vulnContractName.*to: Exploit" over output.txt:

6,313,508.97 × 1.0832^50 ≈ 54.38× = 343.32M NFD, matching the trace exactly.

Profit / loss accounting (this tx)#

The entire 250-WBNB seed is recovered (it is round-tripped through the pools and the loan repaid). The 2,952.97 WBNB net is value extracted from the NFD reward reserve and from NFD/USDT pool liquidity as the attacker's farmed NFD was sold. This is Tx1; the attacker repeated the pattern in Tx2/Tx3 for the headline ~4,481 BNB total (test:11-13).

Diagrams#

Sequence of the attack#

The flaw inside the reward function#

Why it compounds: balance feeds the next reward#

Remediation#

1. Pay rewards against a recorded, locked principal — never a spot balance. Require an explicit stake()/deposit() that snapshots the staked amount and the entry timestamp in contract storage, and compute rewards from that recorded position, not from balanceOf(msg.sender) read at claim time. This alone defeats the flash-loan and same-block compounding entirely.

2. Make the cooldown global to the principal, not per-msg.sender. Keying anti-abuse state on owner_d[caller] is defeated by deploying a fresh caller each call. Track accrual against the staked position (or require the reward to be claimable only once per principal per real time window), so creating new addresses provides no benefit.

3. Initialize cost basis to "now", not to an ancient base timestamp. Setting owner_d[caller] = stor_6 (a far-past base) makes the "collection time" guard vacuous for any fresh address. A new participant's accrual must start at their first interaction (block.timestamp), so elapsed time is ~0 and no reward is immediately claimable.

4. Add reentrancy/atomicity protection and a per-block claim cap. Reward that is paid into the same balance used to size the next reward must not be re-claimable in the same transaction. A nonReentrant guard plus "one claim per address per block" prevents the geometric compounding loop.

5. Bound total payout and validate solvency. Cap rewards as a fraction of a real, time-based accrual schedule and revert if a single transaction would drain a disproportionate share of the reserve — a 54× balance inflation in one tx should be impossible by construction.

How to reproduce#

The PoC was extracted into a standalone Foundry project (the umbrella DeFiHackLabs repo has many unrelated PoCs that fail to compile under forge test's whole-project build):

_shared/run_poc.sh 2022-09-NewFreeDAO_exp --mt testExploit -vvvvv

• RPC: a BSC archive endpoint is required (fork block 21,140,434 is from 2022 and is pruned by most public BSC RPCs). The seed/cash-out routes and the reward reserve must be readable at that block.
• Result: [PASS] testExploit() with Attacker's Net Profit: 2952.971303206254291601.

Expected tail (from output.txt):

Ran 1 test for test/NewFreeDAO_exp.sol:Attacker
[PASS] testExploit() (gas: 75999504)
Logs:
  ---------- Reproduce Attack Tx1 ----------
  Flashloan 250 WBNB from DODO DLP...
  Swap 250 WBNB to NFD...
  [*] NFD balance before attack: 6313508.973101744640040048
  Abuse the Reward Contract...
  [*] NFD balance after attack: 343323371.795084477753627468
  Swap the profit...
  Repay the flashloan...
  Attacker's Net Profit: 2952.971303206254291601

Suite result: ok. 1 passed; 0 failed; 0 skipped

References (from the PoC header, test/NewFreeDAO_exp.sol:19-24): PeckShield, Beosin, BlockSec, SlowMist, CertiK incident threads (NewFreeDAO / NFD, BSC, 2022-09-08).

Sources & further analysis#

Reproductions & code

• Standalone PoC + full trace: 2022-09-NewFreeDAO_exp (evm-hack-registry mirror).
• Upstream DeFiHackLabs PoC: NewFreeDAO_exp.sol.
• Attack transaction: view on explorer.

Alerts & third-party analyses

• DeFiHackLabs incident explorer: search "NewFreeDAO (NFD) Exploit".
• Web3Sec X hacked database: search.
• Rekt leaderboard: search.
• Solodit incident search: search.

These dashboards index community alerts tweets, post-mortems, and independent write-ups. Reach them through the protocol name above to cross-check this reproduction against other analyses.