[This blog is published with the authorization from PolyNetwork team]

Given the opportunity to perform an informal security review of the Pull Request 12 (PR-12) of the eth-contracts repository, we summarize in the report our assessment to evaluate the design goal, expose potential security issues, and examine semantic inconsistencies, if any, in the given smart contract implementation. …


Started at Jun-25–2021 12:07:25 AM +UTC, xWin Finance was exploited and the attacker gained about $270k. This incident was due to an invalid slippage control in the protocol, which is exploited in a flashloan to obtain extra xWin rewards. In the following, we elaborate the technical details.

Summary

This incident was due to a bug in the internal _swapBNBToTokens() function of xWinFund contract which implements a price slippage control. However, the logic of slippage control is invalid. The hacker made use of this bug and gained rewards (in terms of 303,998.86 xWin tokens) from the contract to swap for BNB. …


Started at June-22–2021 22:58:39 +UTC, Eleven Finance was exploited to drain a number of vaults at the loss about $4.6 million. The incident was due to a bug that allows the attacker to withdraw funds without burning any shares. While it appears to be a flashloan attack, it is a flashswap-assisted one. In the following, we elaborate the technical details.

Summary

This incident was due to a bug in the emergencyBurn() function of ElevenNeverSellVault contract that is designed to allow user to withdraw funds and burn shares. However, the function doesn’t burn shares after transferring funds to users. The hacker made…


Started at May-22–2021 02:47:06 PM +UTC, Bogged Finance was exploited to inflate the BOG balance, which is immediately sold to gain about $3.6M. The incident was due to a bug that allows the attacker to increase the balance via self-transfer. While it appears to be a flashloan attack, it is a flashswap-assisted one. In the following, we elaborate the technical details.

Summary

This incident was due to a bug in the BOG token contract that is designed to be deflationary by charging 5% of the transferred amount. Specifically, among the 5% charge, 1% is burned and 4% is taken as a…


Started at May-19–2021 10:34:28 PM +UTC, PancakeBunny was exploited to mint 6.97 million of BUNNY as reward from its vault (VaultFlipToFlip). The incident was due to a bug in the way of measuring the LP price from an AMM-based oracle. It is worthwhile to mention that this attack involves 8 flashloans with more than $700M USD. In the following, we elaborate the technical details.

Summary

This incident was due to a bug in the protocol that uses the AMM-based oracle, i.e., PancakeSwap, to measure the price of specific PancakeSwap LPs (BNB-BUSDT/BNB-BUNNY). After a flashloan-based price manipulation on PancakeSwap pools, the exploitation…


Started at 10:36:20 AM +UTC, May 16, 2021, BearnFi’s BvaultsBank contract was exploited to drain about $11M funds from the pool. The incident was due to a bug in its internal withdraw logic in inconsistently reading the same input amount but with different asset denomination betweenBvaultsBank and the associated strategy BvaultsStrategy. In the following, we elaborate the technical details.

Summary

This incident was due to the mis-matched asset denomination implicitly assumed by BvaultsBank and its BvaultsStrategy strategy. Specifically, the BvaultsBank's withdraw logic assumes the withdrawn amount is denominated in BUSD while the BvaultsStrategy's withdraw logic assumes the withdrawn amount is denominated…


[Disclaimer] This analysis is based on the initial finding by @FrankResearcher!

Started at 07:41:39 PM +UTC, May 7, 2021, ValueDeFi’s vSwap contract was exploited to drain a number of pools at the loss of about $11M. The incident was due to the improper use of a complex exponentiation power() function behind the calculation and enforcement of the weighted constant product invariant. It is worthwhile to mention that vSwap uses the weighted constant product invariant formula for non 50-50 ratio pools. In the following, we elaborate the technical details.

Summary

This incident was due to the mis-calculation by the protocol on the…


Started at 04:38:39 PM +UTC, May 1, 2021, the Spartan protocol contract was exploited to result in more than $30M loss. The incident was due to a flawed liquidity share calculation in the protocol, which is exploited to drain assets from the pool. In this blog post, we elaborate the technical details of the issue.

Summary

This incident was due to a flawed logic in calculating the liquidity share when the pool token is burned to withdraw the underlying assets. In particular, the specific hack inflates the asset balance of the pool before burning the same amount of pool tokens to…


Beijing, April 30th — PeckShield Inc. (PeckShield), the industry-leading blockchain security company, announced join forces with Binance Smart Chain (BSC) ecosystem to enhance security implementations in a rapidly expanding Decentralized Finance sector.

Data shows that both transaction volume and unique active wallets (UAWs) on BSC have risen substantially. Since 2021 most DeFi platforms fall into the category of decentralized applications (dApps) built on top of smart contract-enriched blockchains — primarily BSC.

The growth of the market reinforces the importance of on-chain and off-chain monitoring to ensure the safe and responsible adoption of dApps. …


Started at 16:47:53PM UTC, Feb. 27, 2021, the Furucombo protocol contract was exploited to result in more than $14M loss. The incident was due to a flaw of inappropriate trust in the protocol, which is exploited to cascadingly misuse the allowed spending of this protocol on its users. In this blog post, we elaborate the technical details of the issue.

Summary

This incident was due to a flawed logic in trusting a remote entity that has been previously whitelisted. However, the remote entity supports a logic that makes use of the delegatecall feature to invoke user-provided (untrusted) code. As a result…

PeckShield

A Blockchain Security Company (https://peckshield.com)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store