A Series of $54,000,000 in Flash Loans Results in Losses of $888k on Wault Finance

Wault Finance suffered a flash loan attack resulting in losses of approximately $888,000 and WUSD minting was temporarily disabled as an initial safeguard.

Flash Loan Attack

Wault Finance, a decentralized finance(DeFi) protocol, became the latest victim of a flash loan attack that stole $888,000. 
A leading audit firm, PeckShield first identified the transaction flash loan exploit on August 4th according to their official Tweet. The audit firm later identified the flawed stake() function via an updated thread

That function allowed for the balance of the USDT/WEX liquidity to be manipulated. The $WEX token tumbled to about half of its value prior to the exploit before slightly recovering.

“The attacker repeats stake() 68 times. Each time the WUSDMaster is coded (forced) to swap 10% of the staked USDT (250K) into WEX via the imbalanced USDT_WEX pair, which becomes even [more] skewed,” stated the detailed post mortem via the Tweet thread. The Tweet went on to explain that.” At the end, the attacker makes a reverse swap from WEX to USDT for profit.”

The hacker was able to repeatedly utilize flash loans and the compromised stake() function to artificially inflate the WEX price. This was done through manipulating the balance of tokens in the WEX/USDT pool.

Imagine of the stake() exploit via the WUSDMaster Contract from PeckShield

Wault Finance Addresses the Exploit

The team took preventive action an hour after the initial red flags shutting down WUSD minting. This was released in a Twitter thread which detailed a basic post mortem of the event.

It was later found that solely the USDT/WEX pool had been compromised via the WEX contract according to a Wault Finance Tweet. The vulnerability was contained after all WEX was drained from the contract – resulting in a loss of $888,000
The Wault Finance community was shaken by this sudden news because the contracts were audited by reputable cybersecurity companies.

Reparative Action by Wault Finance

The team has taken steps to remedy and minimise the impact of the exploit. In the Twitter thread published by Wault they outlined 3 steps that will be taken:

1. The treasury has ~150k USD which we’ll use for WEX buyback to fill the gap

2. There’s been 100Mn USD in trading as a result of this; also more buyback

3. Once we fix the vulnerability, the stability mechanisms will also resume filling the WUSD treasury, until back to $1

The buying back of $WEX will, to an extent, stabilize the price. However, the negative impact of this exploit might leave irreparable damage. 

The two audit companies, CertiK and Hacken, are highly regarded and it goes to show that audit firms are susceptible to human flaws as well. Peckshield was not one of the auditing companies but the first to report on the incident.

Source : Wault Finance’s contracts are audited by reputable cybersecurity companies

Balancing Risk and Reward

Most exploits have taken place on platforms offering DeFi services. New platforms are attractive investment opportunities because it has not realized its full potential. 

This reward will often come with certain risks. Existing platforms that have stood the test of time have a reduced risk of potential exploits. 

Apart from counting on audits by professionals, proper risk allocation by investors is also important.  

Source : bsc.news

Leave a Reply

Your email address will not be published. Required fields are marked *