defirisk.co
rubric v1.7.0

Elephant Money: Flash loan + spot price manipulation during stablecoin minting

Elephant Money lost $22.2M when an attacker used a flash loan to manipulate ELEPHANT's price during TRUNK stablecoin minting — a vulnerability Solidity Finance had identified in an audit but never communicated to the team.

Occurred 2022-04-12 Loss $22M Status closed

Summary #

Elephant Money suffered a Algorithmic Stablecoin / Treasury Reserve on 2022-04-12, resulting in a loss of approximately $22M.

What happened #

Elephant Money lost $22.2M when an attacker used a flash loan to manipulate ELEPHANT's price during TRUNK stablecoin minting — a vulnerability Solidity Finance had identified in an audit but never communicated to the team.

Linked factors #

  • RD-F-001 — causal : ★ Direct: Audit scope mismatch (report commit ≠ deployed bytecode) [via cross-hack: Factor 1: Audit Scope Mismatch]
  • RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Mixed: vulnerability identified in audit but unaddressed; drained treasury was unaudited]
  • RD-F-007 — causal : Direct: bug bounty presence + max payout [via cross-hack: Factor 9: No Bug Bounty Program] || Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: No evidence]
  • RD-F-008 — causal : Ignored disclosure — closest [via cross-hack: Factor 19: Audit Finding Not Communicated to Team]
  • RD-F-053 — causal : ★ Spot DEX pool oracle without TWAP — root cause [via realtime_signals/Oracle anomaly: Y — ELEPHANT price spiked anomalously during minting cycle; spot price used as oracle was directly manipulable] || ★ Oracle source = spot DEX pool (no TWAP, no fallback) [via cross-hack: Factor 16: Single-Source VWAP / Thin-Liquidity Oracle Without Flash Swap Filtering]
  • RD-F-055 — related : Underlying oracle pool depth (USD) [via cross-hack: Factor 16: Single-Source VWAP / Thin-Liquidity Oracle Without Flash Swap Filtering]
  • RD-F-056 — related : Single-pool oracle (no medianization) [via cross-hack: Factor 16: Single-Source VWAP / Thin-Liquidity Oracle Without Flash Swap Filtering]
  • RD-F-099 — illustrative : Oracle price deviation > X% from secondary source — RT signal would have fired [via realtime_signals/Oracle anomaly: Y — ELEPHANT price spiked anomalously during minting cycle; spot price used as oracle was directly manipulable]
  • RD-F-100 — illustrative : Flash loan > $10M origination — RT signal [via realtime_signals/Unusual borrowing: Y — 131K WBNB + 91M BUSD flash loan from PancakeSwap is anomalous]
  • RD-F-111 — causal : Team doxx status — pseudonymous-no-track-record class [via dashboard_risk_factors/Team anonymity: Anonymous ("Bankteller" pseudonym)]