This one almost struck a nerve.
Eleven.finance, a yield aggregator on Binance Smart Chain (BSC) and Polygon (MATIC) was exploited for a total of $4.5M.
Some feared that it was the much larger Nerve Finance who was under attack, but it was in fact the NRV vault of Eleven Finance.
There’s no rest for the wicked - who would attack at such an ungodly hour?
The root cause was a function called emergencyBurn() in the intermediary vault used to track anySwap / Nerve-bridged assets nrvBTC, nrvETH and nrvFUSDT in the Eleven “MasterMind” farming contract.
The attacker first took a Flashloan of each asset’s underlying token balance in the “MasterMind” contract (Binance-pegged BTC, ETH and USDT) to convert these into nrvBTC, nrvETH and nrvFUSDT respectively.
Nerve 3Pool and PancakeSwap BUSD - NRV liquidity provider positions were also affected.
A vulnerable function emergencyBurn() in the intermediate vault contract allowed the attacker to withdraw the deposited balance without having the withdrawal being accounted for internally.
As a result the attacker was able to not only remove his own deposit but the full balance of the same amount that had been in the vault before as well.
The attacker used the Nerve bridge to transfer out 2,293 ETH in proceeds to the address 0xdb2d590aCe7cAe51DF1fB3312738038Ec032Bf33.
1: borrow underlying assets from PancakeSwap (Flash Swap)
2: convert amount (mint) to Nerve asset
3: deposit Nerve asset to “MasterMind” through intermediate vault
4: call emergencyBurn() on intermediate vault, transferring an amount equal to the previously deposited amount (equal to vault balance before attack) to the attacker
5: proceed with a regular withdrawal, transferring the previously deposited asset balance back to the attacker
30.75 BTCB for ~$1.05M from nrvBTC
286 ETH for ~$561K from nrvETH
2.241M BUSD for ~$2.241M from NRV 3Pool LP
0.647M BUSD for $647K from NRV - BUSD LP
$4.5 million gone, entering at position 27 on the ever expanding rekt leaderboard.
Peckshield blamed this on a “dumb logic issue”; a shockingly simple way to lose over four million dollars.
Fear and greed is on the rise, will we see more attacks now that honest work is harder to find?
If you enjoy our work, please donate to our Gitcoin grant.
REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.
Donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C
REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.
You might also like...
A few hours before the attack, we received a message from an anonymous source suggesting that StableMagnet would rugpull. We couldn’t verify the claims, so our hands were tied.
Welcome to the slaughterhouse. Another fork of a fork has rolled off the conveyor belt with $6.3M falling straight into the hands of the hacker.
The BSC bloodbath continues. $45 million gone from "PancakeBunny". At its peak, Pancake Bunny had over $10 billion in TVL. At the time of writing, that TVL is down to just over $1 billion. “Aren’t Flash loans Earitating” said the hacker.