The decentralized finance ecosystem on Mantle Network suffered a significant setback on July 14, 2024, when Minterest, an on-chain lending protocol, fell victim to a sophisticated flash loan attack resulting in approximately $1.4 million in losses. The incident, which unfolded in a matter of minutes between 16:24 and 16:28 UTC+3, highlights the persistent vulnerability of DeFi protocols to reentrancy exploits — a class of attack that has plagued smart contract development since the infamous DAO hack of 2016.
The Exploit Mechanics
The attacker executed a carefully orchestrated reentrancy attack targeting the mUSDY market on Minterest’s Mantle Network deployment. The operation began when the attacker borrowed 4.265 million USDY tokens from the AGNI USDY/USDT liquidity pool via a flash loan. With this substantial capital in hand, the attacker first borrowed 392,773 USDY tokens to manipulate the exchange rate by invoking the flashLoan function of the mUSDY contract. The critical vulnerability lay in the attacker’s ability to re-enter the lendRUSDY function — effectively borrowing mUSDY tokens — within the flash loan callback function, exploiting a reentrancy gap that the protocol’s auditors had apparently overlooked.
By manipulating the exchange rate on the mUSDY market through this dual-layered attack, the attacker was able to extract $1.4 million worth of mETH and WETH tokens from the protocol. The manipulation also triggered a cascade of unintended liquidation events, affecting users who had collateral positions in the mUSDY market and causing reduced withdrawal amounts due to the artificially distorted exchange rate.
Affected Systems
The breach was confined exclusively to Minterest’s deployment on the Mantle Network. Critically, the protocol’s deployments on Ethereum and Taiko networks remained completely unaffected, as the vulnerability was specific to the USDY token smart contract implementation on Mantle. The attacker’s wallet address was identified as 0x618F768aF6291705Eb13E0B2E96600b3851911D1, and the exploit transaction was traced through the Mantle block explorer. The incident affected users in three ways: direct loss of protocol funds totaling $1.4 million, forced liquidations of collateral positions, and diminished withdrawal capacity from the USDY market.
The Mitigation Strategy
Minterest’s response was swift and multi-pronged. Within an hour of detecting the breach, the protocol suspended supply and borrow operations on Mantle Network at 17:27 UTC+3, extending the suspension to other chains by 17:54 UTC+3. A war room was established with SEAL 911 — a volunteer group of white hat security researchers — and Blocksec, with coordination support from the Mantle Network team. By July 18, the mUSDY reentrancy vulnerability had been patched and the exchange rate corrected. A 10% bounty for recovered funds was posted on Arkham Intelligence, and centralised exchange partners were notified to freeze any incoming stolen funds. Liquidation fees incurred by affected users on July 14 were returned by July 24.
Lessons Learned
The Minterest incident reinforces several critical lessons for the DeFi space. First, reentrancy vulnerabilities remain a persistent threat despite years of awareness. The checks-effects-interactions pattern, which prevents reentrancy by completing all state changes before external calls, should be a non-negotiable standard in smart contract development. Second, the speed of the attack — completing in under four minutes — demonstrates that real-time monitoring systems like Hypernative Labs are essential for any serious DeFi deployment. In this case, community vigilance combined with automated detection provided the earliest warning signs. Third, flash loan-enabled attacks continue to lower the barrier to entry for attackers, as they eliminate the need for significant upfront capital.
User Action Required
Users who had active positions on Minterest’s Mantle Network deployment should verify that their accounts were not affected by the unintended liquidation events. Those who experienced losses should follow Minterest’s remediation plan and check for any compensation distributions. More broadly, DeFi users should be aware of the risks inherent in lending protocols, particularly on newer network deployments where smart contracts may not have undergone the same level of battle-testing as those on established chains like Ethereum mainnet. As Bitcoin trades at approximately $60,788 and Ethereum at $3,244, the total value locked in DeFi protocols remains substantial, making security vigilance more important than ever.
Disclaimer: This article is for informational purposes only and does not constitute financial advice. Always conduct your own research before interacting with any DeFi protocol.
borrowed 4.265M USDY to exploit a reentrancy gap. the real question is why the lendRUSDY callback was even callable during a flash loan
4.265M USDY borrowed for the attack. reentrancy in 2024 is embarrassing, this was solved after the DAO hack in 2016
The whole attack took 4 minutes. That is the scary part about flash loan exploits, they are instantaneous and irreversible.
4 minutes and $1.4M gone. the speed of flash loan attacks is what makes them so brutal. no time to react, no time to pause the contract
ryan p is right, 4 minutes from start to finish. flash loans remove the time constraint that used to make these attacks harder. now its one tx and done
was this audited? Mantle ecosystem projects need to start requiring multiple audits before mainnet launches
^ it was supposedly audited. the reentrancy gap was in a specific callback path that the audit missed
so the audit covered the happy path but missed the callback exploit. happens more often than anyone wants to admit. audits are necessary but not sufficient
ghost_recon_ exactly. the CEI pattern has been standard since 2020. mantles ecosystem auditors need to answer for this one