Eleven Finance Incident: Root Cause Analysis

Started at June-22–2021 22:58:39 +UTC, Eleven Finance was exploited to drain a number of vaults at the loss about $4.6 million. The incident was due to a bug that allows the attacker to withdraw funds without burning any shares. While it appears to be a flashloan attack, it is a flashswap-assisted one. In the following, we elaborate the technical details.

Summary

This incident was due to a bug in the emergencyBurn() function of ElevenNeverSellVault contract that is designed to allow user to withdraw funds and burn shares. However, the function doesn’t burn shares after transferring funds to users. The hacker made use of this bug and drained funds from at least four vaults of ElevenNeverSellVault. Below we will take the first exploited transaction as an example and elaborate the details.

Details

We started the analysis from one specific transaction behind the hack: 6450…6789. This hack was initialized from this attacker address (located at 0x8b29) and worked as follows:

  • Step1: Borrow a flashloan from PancakeSwap with 953,869.62 BUSD, which is returned at the last step with necessary fee to cover the flashloan cost.
  • Step 2: Swap 340,631.23 BUSD for 474,378.75 NRV via PancakeRouter.
  • Step 3: Add liquidity with 474,378.75 NRV and 366,962.02 USDT into NRV+BUSDT pool via PancakeRouter and mint in return 411,515.29 Pancake LP tokens.
  • Step 4: Deposit 411,515.29 Pancake LP tokens into Eleven Finance via ElevenNeverSellVault and obtain 411,515.29 11 nrvBUSD LP tokens.
  • Step 5: Call emergencyburn() to withdraw 411,515.29 Pancake LP tokens without burning any 11 nvrBUSD LP token. The attacker then calls withdrawAll() to get extra 411,515.29 Pancake LP tokens with the related 11 nvrBUSD LP tokens burned.

The Stolen Funds

The attacker created additional attack contracts to drain other pools of ElevenNeverSellVault with the same bug (located at 0x6ce0 0x87e9 0x01ea). Note the attacker’s funds from the above exploitations were initially held in this wallet: 0xc71e. We are actively monitoring this wallet for any movement.

About Us

PeckShield Inc. is an industry leading blockchain security company with the goal of elevating the security, privacy, and usability of the current blockchain ecosystem. For any business or media inquiries (including the need for smart contract auditing), please contact us at telegram, twitter, or email.

A Blockchain Security Company (https://peckshield.com)