Started at 10:36:20 AM +UTC, May 16, 2021, BearnFi’s BvaultsBank contract was exploited to drain about $11M funds from the pool. The incident was due to a bug in its internal withdraw logic in inconsistently reading the same input amount but with different asset denomination betweenBvaultsBank and the associated strategy BvaultsStrategy. In the following, we elaborate the technical details.

Summary

This incident was due to the mis-matched asset denomination implicitly assumed by BvaultsBank and its BvaultsStrategy strategy. Specifically, the BvaultsBank's withdraw logic assumes the withdrawn amount is denominated in BUSD while the BvaultsStrategy's withdraw logic assumes the withdrawn amount is denominated…


[Disclaimer] This analysis is based on the initial finding by @FrankResearcher!

Started at 07:41:39 PM +UTC, May 7, 2021, ValueDeFi’s vSwap contract was exploited to drain a number of pools at the loss of about $11M. The incident was due to the improper use of a complex exponentiation power() function behind the calculation and enforcement of the weighted constant product invariant. It is worthwhile to mention that vSwap uses the weighted constant product invariant formula for non 50-50 ratio pools. In the following, we elaborate the technical details.

Summary

This incident was due to the mis-calculation by the protocol on the…


Started at 04:38:39 PM +UTC, May 1, 2021, the Spartan protocol contract was exploited to result in more than $30M loss. The incident was due to a flawed liquidity share calculation in the protocol, which is exploited to drain assets from the pool. In this blog post, we elaborate the technical details of the issue.

Summary

This incident was due to a flawed logic in calculating the liquidity share when the pool token is burned to withdraw the underlying assets. In particular, the specific hack inflates the asset balance of the pool before burning the same amount of pool tokens to…


Beijing, April 30th — PeckShield Inc. (PeckShield), the industry-leading blockchain security company, announced join forces with Binance Smart Chain (BSC) ecosystem to enhance security implementations in a rapidly expanding Decentralized Finance sector.

Data shows that both transaction volume and unique active wallets (UAWs) on BSC have risen substantially. Since 2021 most DeFi platforms fall into the category of decentralized applications (dApps) built on top of smart contract-enriched blockchains — primarily BSC.

The growth of the market reinforces the importance of on-chain and off-chain monitoring to ensure the safe and responsible adoption of dApps. …


Started at 16:47:53PM UTC, Feb. 27, 2021, the Furucombo protocol contract was exploited to result in more than $14M loss. The incident was due to a flaw of inappropriate trust in the protocol, which is exploited to cascadingly misuse the allowed spending of this protocol on its users. In this blog post, we elaborate the technical details of the issue.

Summary

This incident was due to a flawed logic in trusting a remote entity that has been previously whitelisted. However, the remote entity supports a logic that makes use of the delegatecall feature to invoke user-provided (untrusted) code. As a result…


Started at 21:49:07 PM +UTC, Feb. 4, 2021, the yDAI vault contract was exploited to result in about $11M loss. The incident was due to a flaw in allowing for a forced investment into a strategy, i.e., StrategyDAI3pool, which is manipulated to be not profitable at the investment moment. Here we elaborate the technical details of the issue in this blog post.

Summary

This incident was due to a flawed logic in allowing for forced investment of a non-profitable strategy. The flashloan has been utilized to influence the targeted strategy so that it becomes not profitable at the specific transaction of…


[Disclaimer] This analysis is based on the initial finding by @nomorebear!

Started at 08:08:12 AM +UTC, Dec. 28, 2020, Cover’s Blacksmith contract was exploited to mess up the total amount of COVER tokens in circulation with currently 40+ quintillion COVERs (1 quintillion = 10^18). The incident was due to a business logic bug in the way of calculating the COVER rewards for staking users. It is worthwhile to mention that it seems a white-hat operation and the gains from the exploit are already returned back to the team. In the following, we elaborate the technical details.

Summary

This incident was due…


Started at 10:24:41 PM +UTC, Dec. 17, 2020, WarpFinance was exploited and drained $~7.8 million of DAI from its vault (WarpVaultSC). The incident was due to a bug in the way of measuring asset price from an AMM-based oracle. It is worthwhile to mention that this attack does not result in immediate profit for the attacker. In the following, we elaborate the technical details.

Summary

This incident was due to a bug in the protocol that uses the AMM-based oracle, i.e., Uniswap, to measure the asset price. After a flashloan-based price manipulation on Uniswap, the exploitation leads to an un-proportional (borrowed)…


Started at 18:37:24 PM +UTC, Nov-21–2020, Pickle Finance was attacked by exploiting two bugs in the ControllerV4 smart contract. The hack results in draining all invested 19.76M DAIs under the StrategyCmpdDaiV2 management. Here we elaborate the technical details of these two bugs in this blog post.

Summary

Pickle is a yield-generating YFI-related DeFi protocol on Ethereum that allows users to deposit assets and earn yields. However, it has two bugs in the controller logic: The first one is input validation bug that fails to validate whether a given jar is supported or not; and the second one is arbitrary code execution


Started at 08:26:52 PM +UTC, Nov-17–2020, 88mph was attacked by exploiting a business logic error in the DInterest smart contract. The hack results in maliciously minting approximately $100K worth of MPH tokens. Later, the hacker transferred the funds to the MPH-ETH UniswapV2 pool. With the help of the legendary whitehat, samczsun, the dev team exploited another bug in the MPHMinter contract to drain the Uniswap pool for rescuring existing funds and getting the hacked funds back. Here we elaborate the technical details of these two bugs in this blog post.

Summary

88mph is a fixed-rate yield-generation protocol on Ethereum that allows…

PeckShield

A Blockchain Security Company (https://peckshield.com)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store