Value DeFi Incident: Root Cause Analysis
Started at 15:36:30 PM +UTC, Nov-14-2020, Value DeFi was exploited to drain $7.4 million of DAI
from its pooled
MultiStablesVault. The incident was due to a bug in the way to measure asset price
from an AMM-based oracle. The hacker further leaves a message (
"do you really know flashloan?")
to challenge the team. In the following, we elaborate the technical details.
This incident was due to a bug in the protocol that uses the AMM-based oracle, i.e., Curve, to measure the asset price. After a flashloan-based price manipulation on Curve, the exploitation leads to an unproportional 3crv tokens even from with the same amount of previously minted pooltokens. After the withdrawal, these 3crv tokens are then redeemed for DAI. The whole process leads to $7.4 million of DAI loss of Value DeFi (while $2 million of DAI is returned back to Value DeFi).
The Hack Walk-through
- Step 1: Take a flashloan of 80K ETH from Aave
- Step 2: Swap at UniswapV2 from WETH to 116M DAI: The UniswapV2 DEX firstly transfers the 116M DAI to the user and then checks the transfer-in of WETH after the swap is finished. (If WETH is not transferred or without sufficient amount), the swap transaction will be reverted.) In between, the 0x675b contract is notified to execute the following steps.
- Step 3: Swap 80K ETH from Aave to 31M USDT at UniswapV2
- Step 4: Deposit 25M DAI at Vault DeFi with 24.9M minted pooltokens (to the attacker) and 24.956M new 3crv (under custody of Vault DeFi)
- Step 5: Swap 90M DAI to 90.285M USDC at Curve: This step makes the affected 3pool imbalanced, causing USDC
- Step 6: Swap 31M USDT to 17.33M USDC at Curve: This step further skews the USDC price in the 3pool.
- Step 7: Burn 24.9M minted pooltokens to redeem the unproportional share of 33.089M 3crv tokens: Due to the manipulated price feed, the attacker is able to get away with 33.089M 3crv, instead of normal 24.956M.
- Step 8: Swap 17.33M USDC back to 30.94M USDT at Curve
- Step 9: Swap 90.285M USDC back to 90.927M DAI at Curve
- Step 10: Remove liquidity from 3pool by burning 33.089M 3crv to redeem 33.11M DAI
- Others: The remaining steps essentially convert the gains to pay back the Aave flashloan and complete the UniswapV2 trade at Step 2.
After the successful exploitation, the attacker returns 2M DAI back to the Value DeFi deployer (0x7be4) and keeps 5.4M DAI of profit.
The Stolen Funds
The stolen funds from the above exploitations are currently held in this wallet: 0xa773. We are actively monitoring this wallet for any movement.
PeckShield Inc. is an industry leading blockchain security company with the goal of elevating the security, privacy, and usability of the current blockchain ecosystem. For any business or media inquiries (including the need for smart contract auditing), please contact us at telegram, twitter, or email.