Four Hacks, one week

Four Hacks, one week

This was an interesting week. We saw four hacks; first, two happened to one company in few days, and the third hack fuelled a cross-chain attack that happened to my knowledge.

Total value lost from Value DeFi and Rari Capital this week is around $36M, whereas $25M belongs to hacks to Value DeFi. Disastrous week for sure, and everything happened over few days. One hack wasn’t analyzed thoroughly where another one launched. It all felt unreal. It was too fast and too many times to one protocol. Being hacked three times for a total of $25M across five days is crazy, and I wonder who would put money into such protocol after the first hack, which exploited a basic overlook from the developers.

Value DeFi

It’s a DeFi product that lives on BSC Chain. It’s a combination of Yearn’s Farming and Uniswap/Bancor AMMs. If you read this and remember my article about DeFi hacks, you may know where I’m going with this and why I bring this up.

I’m not going to dive deep into how the exploits were possible, only mention the general idea. I will link to a more technical analysis of these exploits.

5th of May

Value DeFi was hacked for $10M due to re-initialization of the pools and made himself the operator of that pool. By doing that, he was able to drain the pool and sell all LP tokens.

Post Mortem from Value DeFi

vStake Pool Incident Post-Mortem
On May 5th 2021, 3:22 AM UTC, the exploiter re-initialized the pool and set the operator role to himself and _stakeToken to HACKEDMONEY. By doing so, the exploiter took control of the pool and…

7th of May

This attack is more complex. The hack was possible due to improper use of a complex power() function behind the weighted constant product invariant calculation and enforcement. This caused the Value DeFi to lose around $11M.

Rekt news did a great overview of this.

Rekt - Value DeFi - REKT 3
DeFi / Crypto - Twice in one week. Value DeFi is a trainwreck. Six months ago they lost $7M. Three days ago they lost $10M. Now they’ve lost another $11M. What went so wrong with Value DeFi?

8th of May

As it turned out, Value DeFi also had vulnerable yield farming contracts, which resulted in $3.8M stolen from vSafe vault. The funds from this attack were swapped to 1k ETH and sent to Ethereum using Anyswap.

To add gasoline to the fire, it was pointed out the face of “co-founder” was a paid actress from Fiver.

Rari Capital

The previous attack I described was the one attack that helped fuel the attack on Rari. Rari is a Robo-advisor DeFi product that helps the users maximizing yield earned. Rari Capital is a DeFi product deployed on Ethereum.

An attacker stole approximately 2900 ETH, around $11M at the time of writing. These funds were extracted from Rari Capital’s Ethereum Pool before the attacker was stopped when the contracts were paused. This loss equates to 60% of all users’ funds in the Rari Capital Ethereum Pool.

@FrankResearcher did a great analysis of this attack. Twitter thread below

The issues I described in one of my posts are what had lead to this issue. For Value DeFi being an anonymous team and hiring an actress to play the role of “co-funder” isn’t a great look for a company, and people should always be aware of such practices. Especially when the project is hacked four times in its lifespan and all the hacks are due to altering the forked code without understanding its consequences.

Value DeFi and Rari Capital also shared another common problem with the DeFi, composability. It’s the feature driving DeFi innovation. That’s why we call it also a “money lego” as everything can be built upon previous projects. This, unfortunately, introduces more complexity and more attack surface, guaranteeing new, unforeseeable attack vectors and risks we wouldn’t have thought about in the scope of only one project. This exactly what happened on the 3rd and 4th attacks.

We’re in uncharted waters. New attack vectors are designed like cross-chain attacks, and old tricks are still valid, like creating a fake token to trick the protocol.

With so many hacks happening recently on BSC and some on Ethereum, we should be wary of any protocol with forked-code and its integrations. Do your research and put into a protocol only what you’re acceptable to lose. You never know what lurks on the other side.