ValueDefi vSwap Pool Contract Exploited in String of Hacks

The latest hack on May 7th at 07:41:39 PM +UTC has drained 11M USD from the vSwap contract liquidity pools, making it the platform’s third exploit. The ecosystem is threatened with this type of event becoming rampant in recent times.

Three Exploits

The first exploit covered by Rekt News, done in November 2020, was a flash loan that resulted in a $7 million loss. On May 5th, a new exploit occurred on the vBWAP/BUSD LP due to losing a line of code caused by “human error.” It didn’t stop there, on May 7th vSwap contract was exploited draining 11M from its pools. In total these hacks resulted in over 20,000,000 of lost funds due to smart contract risks.

Rekt News Investigatives May 5th Exploit

The ensuing investigation details are taken from the RektNews analysis of what went down with the code exploit:

On May 5th, 2021, 3:22 AM UTC, the exploiter re-initialized the pool and set the operator role to himself and _stakeToken to HACKEDMONEY.

By doing so, the exploiter took control of the pool, called the method governanceRecoverUnsupported(), and drained the original stake token (vBWAP/BUSD LP).

The exploiter then removed 10,839.16 vBWAP/BUSD LP, burned the LP tokens, received 7342.75 vBSWAP and 205,659.22 BUSD.

The exploiter then sold all 7342.75 vBSWAP for 8790.77 BNB at 1inch exchange.

The exploiter used both BNB and BUSD to buy renBTC and used renBridge to move the funds back to BTC, sent to the following address: 1Cm6WGvXQ9EgvvWX5dRsBxE2NvxFjfbcVF

The actions can be verified on-chain here.

The affected pool contract had an initialize() function that should have been activated after deployment.

The line: initialized = true; is missing from the function.

This meant anyone could re-initialize the pool and set themself as owners, thereby taking complete control. As an owner, the exploiter used the governanceRecoverUnsupported(), which is used for recovering pool funds in the event of a bug or undesired event.

During the setup of the profit-sharing vStake pool, the code was not written from scratch but migrated from the old implementation of the Value DeFi Reserve Fund. The original implementation had the correct setting, but when merging the code, the line was not included.

Peckshield Investigation on Latest Exploit

The latest hack on May 7th at 07:41:39 PM +UTC has drained 11M USD from the vSwap contract liquidity pools. Another blockchain-based security organization also released a medium post detailing what may have transpired with the code— an incorrectly weighted constant product invariant calculation.

The root cause of the attack – Image from Peckshield

From the technical analysis of what may have transpired with the code according to Peckshield;

“The root cause behind this attack, the vulnerability stems from the improper use of a complex exponentiation power() function, which unfortunately lies in the critical path for invariant calculation and enforcement. Confirming Rekt News “Human Error” identification of the problem. Peckshield also suggest to make the assumption explicit in the power() function by adding the following requirement: require(baseN >= baseD)!”

ValueDefi released this Tweet an hour ago, indicating that they are working with PeckShield Inc and Certik to analyze the root cause of the

Another Day, Another Exploit

Once again, the Binance Smart Chain (BSC) community has been reminded of the vulnerability of smart contract codes. A new day seems to come with a new code exploit, a pool draining, or a rugpull event done. The ecosystem is threatened with this type of event becoming rampant in recent times.

Does it show us weak contract codes, lazy teams, or better ways to strengthen the blockchain security systems further? Whatever the right answers may be, it shouldn’t come with repeated loss of funds for DeFi users.
Join the rest of the community to keep an eye on funds movement in the wallet.

Source :

Leave a Reply

Your email address will not be published. Required fields are marked *