Executive Summary

On March 9, 2026, attackers exploited a flash loan vulnerability in Sample Protocol's lending pools, resulting in approximately $5 million in losses. The attack leveraged oracle price manipulation to drain liquidity pools within a single transaction block.

Attack Overview

The attack unfolded in three coordinated phases:

Phase 1: Flash Loan Acquisition

• Borrowed 10,000 ETH via flash loan from Aave
• Swapped borrowed tokens for malicious TEST asset

Phase 2: Price Manipulation

• Manipulated oracle price of TEST token through large swaps
• Exploited oracle's price dependency on spot market rates
• Artificially inflated TEST token price by 400%

Phase 3: Asset Exfiltration

• Drained lending pools using manipulated collateral values
• Transferred 15,000 USDC to attacker's address
• Routed stolen USDC through Tornado Cash-style mixer

Root Cause Analysis

The vulnerability originated in the getReserves() function which failed to validate token reserves properly. Key issues identified:

• Oracle Freshness: No oracle freshness check after the flash loan, allowing stale price manipulation
• TWAP Absence: No time-based TWAP restrictions on lending, enabling single-block exploits
• Storage Validation: Oracle price was read from an unverified storage slot
• Pause Mechanism: Lack of emergency pause functionality
• Reentrancy Guards: Missing reentrancy guards on callback functions

Defense Recommendations

1. Implement Oracle Freshness Checks: Ensure price data is no older than the previous block
2. Add Emergency Pause: Deploy circuit breaker pattern for critical functions
3. Use TWAP Oracles: Implement time-weighted average prices for lending decisions
4. Flash Loan Resistance: Consider using flash loan-resistant lending pools
5. Regular Audits: Conduct periodic security audits of oracle price feeds
6. Real-time Monitoring: Consider using OpenZeppelin Defender or Pyth Network for real-time threat detection