The team at Wault Finance has been sifting through the ashes to find out what went wrong.
Rising From the Ashes
Wault Finance has now conducted a full post-mortem into the flash loan attack which caught the company with their pants down on Wednesday.
Wault Finance has since apologized to users. Even despite two leading audits the vulnerability was unseen. The team looks to remedy the situation according to the official incident recap published via Medium..The company has worked in collaboration with cybersecurity experts Inspex to analyse what went wrong – a remedy is being executed.
“Now, we can move forward with a technical solution, and do our best to compensate our users,” stated the Wault Finance incident recap.
As we reported at the time, the exploit took advantage of a stake function in the WUSDMaster contract. The official conclusion from Wault Finance and Inspex also concludes that the attacker gained 370.19 ETH “by using the flaw” in the WUSDMaster contract.
Technical Solution
Wault has made changes to the WUSD contract to prevent future exploits. According to the Wault Finance team, the following updates will address the existing vulnerabilities:
Mint Timelock (1 block): When someone mints WUSD, they will only receive it one block later. This prevents flash loan attacks.
Redeem Timelock (1 block): When someone redeems WUSD, they will only receive it one block later. This prevents flash loan attacks.
Minting Fee: We’ll move the 0.2% transaction fee from redemption into a minting fee of 0.2% to mitigate potential arbitrage attacks.
Sell WEX On Redeem: Just like how the protocol buys WEX on mint, it will sell WEX on redemption. This will prevent price manipulation attacks.
The changes are currently being worked on and they will be sent off for audits next week according to the team.
Notably, the inclusion of the timelock will completely prevent flash loans. This is because a flash loan transaction must be completed in the same transaction block.
Compensation Plan
“The first thing we need to point out is that no funds were stolen nor incorrectly minted,” stated the incident report.
Wault has clarified that no funds were stolen directly from users. The attacker’s profit was made from price manipulation of WEX – this still has an effect on users.
The Wault Finance team is incorporating a couple novel remedies outside of the stability mechanics. According to the incident report a 100k Bug Bounty will be initiated with Immenefi and the team will burn 500k of their team tokens.
For the most part the team will be relying on the built in stability mechanisms to remedy the price. The mechanisms and explanations are found in the release.
Here We Go Again
Once again another project on Binance Smart Chain has been caught in a flash loan exploit. Wault Finance is now working on a reimbursement package to make users whole again. According to PeckShield in a Tweet from their official account, this recent exploit “is similar to an earlier yDAI hack.”
For DeFi users the second most disappointing element of this attack (with the first being their loss of funds) will be the fact that the same exploits keep occurring again and again.
Source : bsc.news
Founded in 2020, BSCNews is the leading media platform covering decentralized finance (DeFi) on the Binance Smart Chain (BSC). We cover a wide range of blockchain news revolving mainly around the DeFi sector of the crypto markets. BSCNews aims to inform, educate and share information with the global investment community through our website, social media, newsletters, podcasts, research, and live ask me anything (AMA). Our content reaches hundreds of thousands of global investors who are active in the BSC DeFi space.
BSC NEWS is a private news network. All posts posted by this user belong 100% to bsc.news All rights are reserved to BSC NEWS for more information about BSC NEWS contact BSC NEWS HERE.