Table of Contents
- 1 Overview
- 2 About Value DeFi
- 3 Root Cause of the Hack
- 4 Attack Flow
- 5 Stolen Fund Details
- 6 Hack Aftermath and Immediate Response
- 7 Mitigation Steps to Avoid Such Hacks
- 8 Conclusion
On November 14, 2020, Value DeFi, a Binance Smart Chain (BSC) project, suffered a security breach resulting in a loss of $7.4 million in DAI from its MultiStablesVault.
Initiated at 15:36:30 PM +UTC, the attack was facilitated by a flaw in the protocol’s AMM-based oracle, specifically Curve, used for asset price measurement.
The hacker executed a flash loan attack, leading to a price manipulation on Curve, which resulted in the issuance of an excessive number of 3crv tokens compared to the previously minted pooltokens. These 3crv tokens were subsequently redeemed for DAI, culminating in a significant financial loss for Value DeFi.
About Value DeFi
Value DeFi, a DeFi (Decentralized Finance) platform, has carved a niche in the crypto community by offering high-yield farming opportunities and showcasing its innovative approach to DeFi solutions.
Before the hack, the platform boasted a Total Value Locked (TVL) exceeding $11 million, underscoring its popularity and trust within the sector. During 2020, Value DeFi gained significant momentum and recognition as part of the burgeoning trend of DeFi projects, primarily due to its promising and lucrative yield farming options.
Root Cause of the Hack
Primary Reason for Hack: The exploit resulted from a vulnerability in the protocol’s use of an AMM-based oracle (Curve) to measure asset prices. This vulnerability allowed for price manipulation through a flash loan-based attack.
The hack utilized a flash loan, a concept where large amounts of cryptocurrency are borrowed and repaid in a single transaction, combined with price manipulation in an Automated Market Maker (AMM) model.
Initiation of the Attack
- Malicious Contract Deployment: The attack began with the deployment of a malicious contract by the attacker (address: 0xa773603b139Ae1c52D05b35796DF3Ee76D8a9A2F), located at 0x675BD0A0b03096c5ead734cFa00C7620538C7C6F.
- Hack Transaction Link: https://bscscan.com/tx/0x2fd0aaf0bad8e81d28d0ee6e4f4b5cbba693d7d0d063d1662653cdd2a135c2de
Execution of Aave Flashloan
- Flashloan Acquisition: The first operational step involved acquiring a substantial flashloan of 80K ETH from Aave.
Price Manipulation via UniswapV2
Initial Swap to DAI: The attacker swapped WETH for 116M DAI on UniswapV2, where the DAI was transferred first, followed by a post-swap transfer-in check for WETH.
Swap to USDT: Subsequently, 80K ETH from Aave was exchanged for 31M USDT on UniswapV2.
Vault DeFi Interaction
DAI Deposit and Pool Token Minting: The attacker then deposited 25M DAI into Vault DeFi. This action resulted in the minting of 24.9M pooltokens for the attacker and the creation of 24.956M new 3crv tokens under Vault DeFi’s control.
Manipulation of Curve’s 3pool
Swapping to USDC: A swap of 90M DAI for 90.285M USDC was performed at Curve, causing an imbalance in the 3pool.
USDT to USDC Swap: Further exacerbating the imbalance, 31M USDT was swapped for 17.33M USDC at Curve.
Profit Extraction from Value DeFi
Redeeming 3crv Tokens: The manipulated price feed allowed the attacker to burn 24.9M minted pooltokens and redeem an disproportional share of 33.089M 3crv tokens.
Conversion to USDT and DAI: The attacker then converted 17.33M USDC back to 30.94M USDT and 90.285M USDC back to 90.927M DAI at Curve.
Final Liquidity Removal: The last step was removing liquidity from Curve’s 3pool by burning 33.089M 3crv to redeem 33.11M DAI.
Completion of the Attack Cycle
Repaying the Flashloan: The acquired profits were used to repay the Aave flashloan and complete the initial UniswapV2 trade.
Returning Partial Funds: After successfully exploiting the vulnerabilities, the attacker returned 2M DAI to the Value DeFi deployer (address: 0x7be4) and retained 5.4M DAI as profit.
Stolen Fund Details
Movement of Funds: After the hack, the attacker returned 2 million DAI to Value DeFi and moved the majority funds through Tornado Cash.
Hack Aftermath and Immediate Response
Timeline of Events Post-Exploit
Initial Discovery (15:24): The hack occurred at a critical moment, just 20 minutes before a scheduled AMA (Ask Me Anything) session for Value DeFi.
Community Reaction (15:41-15:42): At 15:41, users noticed and questioned the significant drop in Total Value Locked (TVL), which had surpassed $11 million earlier. By 15:42, concern escalated among group members, with some speculating about potential UI bug.
Confirmation of the Hack (15:49): The situation became clear when an Etherscan link revealing the hack was shared in the chat, showing that $7 million had been withdrawn from the Value DeFi vault, with $2 million returned alongside a note. Official Acknowledgement and AMA Session
Value Team’s Acknowledgment (16:05): Despite the unfolding events, the AMA session commenced at 16:00. The Value team officially recognized the hack at 16:05 on their Discord channel. However, the AMA continued to address unrelated topics for an additional 40 minutes.
Public Communication: Concurrently, Stani Kulechov released a tweet as the AMA began, potentially in response to the hack. Impact on Token Value
Drop in Token Value and TVL: The hack had an immediate and significant impact on the value of Value DeFi’s token and its TVL, reflecting the magnitude of the exploit.
Price Impact: The price of the associated token dropped from $2.73 to $1.87 following the hack.
Mitigation Steps to Avoid Such Hacks
Strengthening Oracle Security
Implementation of Multi-Source Oracles: To mitigate risks associated with oracle manipulation, integrating multi-source oracles can provide a more reliable and tamper-resistant price feed.
Regular Oracle Audits: Conducting periodic audits and stress tests of oracle mechanisms to ensure they accurately reflect market prices, even under unusual conditions.
Enhancing Smart Contract Auditing
Continuous and Comprehensive Audits: Implementing ongoing auditing processes, not just pre-launch but also periodically post-deployment, to catch vulnerabilities that may arise due to changes in the ecosystem.
Engaging with Specialized Security Firms: Collaborating with firms specialized in blockchain and smart contract security to conduct in-depth analyses and provide recommendations for strengthening the protocols.
Robust Flash Loan Attack Prevention
Implementation of Flash Loan Attack Detection Systems: Developing and deploying systems specifically designed to detect unusual transaction patterns indicative of flash loan attacks.
Introducing Time-Locks or Delays in Transactions: Implementing time-locks or requiring multiple block confirmations for large transactions can reduce the risk of flash loan exploits by slowing down the attack process.
Limiting Transaction Size: Setting limits on the maximum transaction size or amount that can be borrowed via flash loans.
The Value DeFi hack underscores the critical vulnerabilities in DeFi platforms, particularly highlighting the susceptibility of oracles and the complexities surrounding flash loans.
This incident not only reveals how oracle manipulation can lead to significant security breaches but also demonstrates the dual nature of flash loans as both an innovative financial tool and a potential vector for exploitation.
The incident serves as a stark reminder of the need for robust security frameworks in the DeFi space. Implementing stringent security measures, along with regular and thorough smart contract audits by experienced firms like ImmuneBytes, is essential to mitigate such risks and enhance the overall resilience of DeFi platforms against similar attacks in the future.