A flash loan attack drained nearly all funds from NovaBox’s reward pool on Ethereum, resulting in losses of about 56.73 ETH and affecting more than 130 depositors, according to blockchain security firm F12.
The attack depleted roughly 99.86% of the pool in a single transaction. F12 said the incident was not caused by a traditional smart contract vulnerability but by weaknesses in the protocol’s reward distribution mechanism.
According to the firm, the attacker exploited how NovaBox calculated dividend rewards during deposits and withdrawals, allowing funds to be extracted without relying on common attack methods such as reentrancy exploits or arithmetic errors.
Flawed dividend logic opened the door
F12 said the attacker exploited a weakness in NovaBox’s security checks by using a contract constructor, allowing the transaction to bypass safeguards designed to detect smart contracts.
According to the firm, the attacker borrowed 427.5 WETH through a flash loan from Aave V3 and completed the exploit in a single transaction. The operation started with a small deposit of NOVA tokens, followed by a larger ETH deposit into the protocol.
The issue stemmed from how NovaBox calculated and distributed rewards. F12 said the protocol paid out dividends before fully updating the attacker’s stake balance, creating a gap between the pool’s recorded totals and the user’s actual position.
Because of that mismatch, rewards were calculated using outdated pool data but applied to a much larger stake. F12 said the flaw effectively created a phantom dividend worth about 145.82 ETH, allowing the attacker to extract funds from the reward pool.
Pool falls from 65 ETH to almost zero
The attack nearly emptied NovaBox’s liquidity pool. According to F12, the pool’s balance fell from 65.11 ETH to just 0.09 ETH in a single transaction. The firm wrote, “99.86% of the pool gone in one tx.” The loss affected 133 depositors whose funds were tied to the investment pool.
The security experts stated that the flash loan was not the primary reason behind the problem. The attack, rather, pointed out the vulnerabilities in the reward allocation structure and the creation of accounts in NovaBox.
Another related problem was found by security firm Defimon Alerts, which was about the protocol’s dividend tracking system. The flaw highlighted by the analysts meant that the accounts created recently managed to collect dividends from previous allocations because no initial balance was set up for them.
DeFi faces continued security challenges
The NovaBox attack is the latest in a series of flash loan exploits affecting decentralized finance platforms. Last month, attackers targeted INK Finance’s deployment on Polygon and stole about $140,000 in USDT.
Scallop Protocol also lost roughly $142,000 in April after attackers exploited a deprecated rewards contract. Earlier this year, hackers drained more than $438,000 from the SOF and LAXO token ecosystems on BNB Smart Chain.
The incidents underscore a shift in the types of weaknesses being targeted across the DeFi sector. Rather than exploiting traditional coding flaws, attackers have increasingly focused on reward systems, incentive structures, and other economic mechanisms that govern how protocols distribute value.
Also Read: Anthropic’s Claude Fable 5 Just Put $120–150 Billion in Crypto at Risk
