Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 099Oracle Manipulation

Nirvana Finance Oracle Manipulation

A $10M USDC flash loan inflated Nirvana's ANA token 4x against its own oracle; the attacker swapped ANA for $13.49M USDT and the NIRV stablecoin depegged 90%.

Date
Victim
Nirvana Finance
Chain(s)
Solana
Status
Funds Stolen

On July 28, 2022, the Solana DeFi yield protocol Nirvana Finance lost approximately $3.49 million when a $10 million USDC flash loan was used to manipulate its own ANA token oracle, allowing the attacker to extract more value than they put in. The protocol's native token ANA fell 89% and its stablecoin NIRV depegged by 90%, effectively ending the protocol.

What happened

Nirvana priced its ANA token using its own internal bonding-curve and a price oracle that read from on-chain liquidity. The protocol let users mint ANA against USDC deposits and redeem ANA back for USDC at the oracle-reported price — without any meaningful flash-loan resistance in the same-block price read.

The attack:

  1. Flash-borrowed $10M USDC from Solend.
  2. Minted ANA at the prevailing pre-attack price — the deposit pushed the bonding curve upward.
  3. The oracle, reading from the same curve, reported a higher ANA price in the same block.
  4. Redeemed the freshly minted ANA back to the protocol — but at the inflated oracle price, the protocol returned ~$13.49M USDT for the ANA the attacker had just minted for $10M.
  5. Repaid the flash loan, walked with ~$3.49M profit.

The aftermath was worse than the realised theft. NIRV (the Nirvana stablecoin) was backed in part by ANA reserves, and the ANA price crashed as the market priced in the protocol's broken solvency. NIRV lost 90% of its peg; ANA lost 89% of its value. The realised theft was $3.5M but the protocol's economic loss was much larger.

Aftermath

  • Stolen funds were bridged from Solana to Ethereum via Wormhole and laundered through Tornado Cash.
  • Nirvana shut down operations within days; the protocol never reopened.
  • The attacker was eventually identified by on-chain investigators and faced multiple civil suits, though no criminal recovery has been publicly reported.

Why it matters

Nirvana is one of three 2022 Solana DeFi protocols (alongside Crema Finance and Cashio) destroyed in a six-month window by oracle and validation bugs that had been documented on EVM years earlier. The Solana DeFi ecosystem was still catching up to the security knowledge accumulated on Ethereum, and every incident was paid for in real customer money.

The structural lesson is the recurring one: an oracle that reads from a curve the attacker can move in the same transaction is not an oracle, it is a calculator the attacker controls.

Sources & on-chain evidence

  1. [01]theblock.cohttps://www.theblock.co/post/159975/solana-stablecoin-nirvana-sinks-90-amid-3-5-million-flash-loan-exploit
  2. [02]cryptoslate.comhttps://cryptoslate.com/solana-based-nirvana-loses-3-49m-to-flash-loan-exploit-tokens-tank-90/
  3. [03]coindesk.comhttps://www.coindesk.com/tech/2022/07/28/solana-defi-protocol-nirvana-drained-of-liquidity-after-flash-loan-exploit

Related filings