Eleven Finance Incident: Root Cause Analysis

Started at June-22–2021 22:58:39 +UTC, Eleven Finance was exploited to drain a number of vaults at the loss about $4.6 million. The incident was due to a bug that allows the attacker to withdraw funds without burning any shares. While it appears to be a flashloan attack, it is a flashswap-assisted one. In the following, we elaborate the technical details.

Summary

Details

The Hack Walk-through

We started the analysis from one specific transaction behind the hack: 6450…6789. This hack was initialized from this attacker address (located at 0x8b29) and worked as follows:

  • Step1: Borrow a flashloan from PancakeSwap with 953,869.62 BUSD, which is returned at the last step with necessary fee to cover the flashloan cost.
  • Step 2: Swap 340,631.23 BUSD for 474,378.75 NRV via PancakeRouter.
  • Step 3: Add liquidity with 474,378.75 NRV and 366,962.02 USDT into NRV+BUSDT pool via PancakeRouter and mint in return 411,515.29 Pancake LP tokens.
  • Step 4: Deposit 411,515.29 Pancake LP tokens into Eleven Finance via ElevenNeverSellVault and obtain 411,515.29 11 nrvBUSD LP tokens.
  • Step 5: Call emergencyburn() to withdraw 411,515.29 Pancake LP tokens without burning any 11 nvrBUSD LP token. The attacker then calls withdrawAll() to get extra 411,515.29 Pancake LP tokens with the related 11 nvrBUSD LP tokens burned.

The Stolen Funds

About Us

A Blockchain Security Company (https://peckshield.com)