defirisk.co
rubric v1.7.0

Eminence Finance (EMN): Flash loan + bonding curve arbitrage (buy/burn/sell cycle)

$15M in DAI was drained from Eminence Finance — Andre Cronje's unannounced, unaudited test contracts — within hours of deployment, as FOMO-driven users deposited funds into a bonding curve an attacker immediately arbitraged to zero.

Occurred 2020-09-28 Loss $15M Status closed

Summary #

Eminence Finance (EMN) suffered a Unreleased / Test-in-Prod (gaming multiverse / bonding curve token system) on 2020-09-28, resulting in a loss of approximately $15M.

What happened #

$15M in DAI was drained from Eminence Finance — Andre Cronje's unannounced, unaudited test contracts — within hours of deployment, as FOMO-driven users deposited funds into a bonding curve an attacker immediately arbitraged to zero.

Linked factors #

  • RD-F-001 — causal : ★ Audit scope mismatch — exploited code outside scope [via dashboard_risk_factors/Was exploited code in audit scope?: N/A — no audit existed] || ★ Audit scope mismatch — full field name [via dashboard_risk_factors/Was exploited code in audit scope?: N/A — no audit existed]
  • RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited; vulnerability is inherent to the bonding curve design (circular token mechanics exploitable via flash loans)]
  • RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — deployed day of exploit] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — deployed day of exploit] || Time between audit end and deploy [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract]
  • RD-F-007 — causal : Direct: bug bounty presence + max payout [via cross-hack: Factor 9: No Bug Bounty Program] || Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: No]
  • RD-F-076 — causal : Protocol age (days since first mainnet deploy) [via cross-hack: Factor 35: Protocol Age < 2 Weeks at Time of Hack]
  • RD-F-100 — illustrative : Flash loan > $10M origination — RT signal [via realtime_signals/Unusual borrowing: Y — large flash loan from Uniswap pool visible on-chain]
  • RD-F-114 — causal : Deployer address prior on-chain history [via cross-hack: Factor 20: Deployer Reputation as False Trust Signal]
  • RD-F-141 — related : Test-mode parameters left on in deploy (possibly related) [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract]
  • RD-F-146 — related : New deploys in last 30 days (fresh attack surface) [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract] || New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — deployed day of exploit]