Value DeFi Incident: Root Cause Analysis

Summary

Details

The Hack Walk-through

  • Step 1: Take a flashloan of 80K ETH from Aave
Step 1: Aave Flashloan of 80K ETH
  • Step 2: Swap at UniswapV2 from WETH to 116M DAI: The UniswapV2 DEX firstly transfers the 116M DAI to the user and then checks the transfer-in of WETH after the swap is finished. (If WETH is not transferred or without sufficient amount), the swap transaction will be reverted.) In between, the 0x675b contract is notified to execute the following steps.
  • Step 3: Swap 80K ETH from Aave to 31M USDT at UniswapV2
  • Step 4: Deposit 25M DAI at Vault DeFi with 24.9M minted pooltokens (to the attacker) and 24.956M new 3crv (under custody of Vault DeFi)
  • Step 5: Swap 90M DAI to 90.285M USDC at Curve: This step makes the affected 3pool imbalanced, causing USDC expensive.
  • Step 6: Swap 31M USDT to 17.33M USDC at Curve: This step further skews the USDC price in the 3pool.
Steps 2–6: Price Manipulation at Curve’s 3pool
  • Step 7: Burn 24.9M minted pooltokens to redeem the unproportional share of 33.089M 3crv tokens: Due to the manipulated price feed, the attacker is able to get away with 33.089M 3crv, instead of normal 24.956M.
  • Step 8: Swap 17.33M USDC back to 30.94M USDT at Curve
  • Step 9: Swap 90.285M USDC back to 90.927M DAI at Curve
  • Step 10: Remove liquidity from 3pool by burning 33.089M 3crv to redeem 33.11M DAI
Steps 7–10: Value DeFi Redemption for Profit
  • Others: The remaining steps essentially convert the gains to pay back the Aave flashloan and complete the UniswapV2 trade at Step 2.

The Stolen Funds

About Us

--

--

--

A Blockchain Security Company (https://peckshield.com)

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Hardware Engineer (Corporate)

Hardware Engineer (Corporate)

{UPDATE} Ultimate Klondike Solitaire Pro- Classic Card Play Hack Free Resources Generator

Let’s Talk About Cloud Security: a brief one

Data privacy and it’s importance for everyone

social-media

Fork Liquity BSC Ecosystem- Babel Token Airdrop Campaign

{UPDATE} Kindergarten Mathe Zusatz Spiel Kinder Von König 2016 Hack Free Resources Generator

Balancer Hacks: Root Cause and Loss Analysis

Use phone As Rubber Ducky Against Another phone

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
PeckShield

PeckShield

A Blockchain Security Company (https://peckshield.com)

More from Medium

Here comes an Avalanche!

When it makes sense to disable the default max transaction fee (to use txfeecap=0)

The UST Collapse and its Significance for Stablecoins and Asset-Backed Tokens

Will X-PARALLEL SPACE revolutionize the DeFi lending market?