Top ten thievery.
As AVAX rises in popularity, its crime rates increase accordingly. This is the second substantial loss on the Avalanche network this month.
What’s normal for us is not normal elsewhere.
34 million dollars stolen, but this story is just one of many.
The following is taken from the (first) official post-mortem.
Exploiter ETH Address: 0xeeee458c3a5eaafcfd68681d405fb55ef80595ba
Exploiter AVAX Address: 0xeeeE458C3a5eaAfcFd68681D405FB55Ef80595BA
The funds were then bridged to Avalanche, where the attacker swapped 26.999006274904347875 WETH.e for 1,369.708 AVAX via Pangolin.
Once the attack contract had been funded with 20 AVAX in 5 addresses, the preparation was complete and the exploit execution could begin.
After deploying a new attack contract, the same steps were used, this time successfully.
Repeated trades of USDT.e to ETH.e were made via AugustusSwapper.
And a third attack was deployed.
During leveraged trading, Vee Finance uses a single source price oracle: the prices of assets in the Pangolin pools. Via trading between these newly created pairs, the attacker was able to manipulate the prices that Vee Finance referenced.
This manipulation, together with the fact that price acquisition wasn’t processed for decimals, allowed for the approval of transactions that would usually not pass the protocol’s slippage check.
For an in-depth analysis of the exploit, see Vee Finance’s second post-mortem of the day.
The stolen funds were bridged back to Ethereum during and after the attack, over a series of over 100 transactions, for example this transaction.
The exploiter’s Ethereum wallet currently holds a total of 214 WBTC ($9.3 M) and 8,804 WETH ($26.9M)
According to Vee Finance’s incident report “The VEE team is actively working to further clarify the incident and will continue to try to contact the attacker to recover the assets” and are appealing to the hacker to take a bug bounty.
Hello, this is vee.finance team. We are willing to launch a bug bounty program for the bug you identified, please contact us via firstname.lastname@example.org.
Other incoming transactions contained messages, too, ranging from warnings:
Your address has been caught by the team
Hello this is @yannickcrypto, please follow me on twitter https://twitter.com/yannickcrypto_
To outright begging on-chain:
Big man, send me some for a poor man who can't afford to eat
At press time, there was still no response from Big man.
Any project which appears in “pump groups” such as this one is not doing well at all.
Will we see a vee-shaped recovery, or has all the value veritably vanished?
(Please consider the task of your anonymous author when naming your protocols)
If you enjoy our work, please donate to our Gitcoin Grant.
REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.
donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C
REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.
you might also like...
Wintermute have lost over $160M to their second incident this summer. Using a vanity address for "gas savings" has cost them dearly. Last time, funds were returned, will Wintermute get lucky again?
The billion that wasn't. Tornado sanctions didn’t deter these Polkadot thieves, who tried to steal ~$1.3B in aUSD from Acala Network.
Curve fell victim to a DNS hijacking yesterday, with approximately $575k lost to malicious contract approvals. For users, DeFi protocols are only as secure as their centrally-hosted front end. How much longer will web3 rely on web2?