$17 939 000 USD

MAY 2021

GLOBAL

BEARNFI

DESCRIPTION OF EVENTS

"Earn double rewards with your idle assets." "Since the beginning, bEarn has stated a clear vision to become one of the best cross-chain Auto Yield Farming in crypto space." "bEarn.Fi optimizes bDollar rewards through a vault system; vaults serve as investment instruments, implementing procedures through smart contracts. These vaults automate the best yield farming opportunities. Vaults can also perform the following actions: use assets as liquidity, provide assets as collateral for others, manage collateral to reduce odds of liquidation, use assets to generate a yield and compound profits. With the following actions, vaults allow users to automate their De-Fi farming experience completely."

 

"bVaults offers double rewards with BFI and BDO or even triple (more details to be updated) rewards for LP holders, apart from the high APY on each Vault and the token harvested. A 3% of newly minted BDO during the expansion phase will be sent to reward Vault holders. In comparison, other yield optimizers are currently offering single rewards."

 

"The incident was due to the improper implementation of the function withdraw(address, uint256 wantAmount)." "The BvaultsBank's withdraw logic assumes the withdrawn amount is denominated in BUSD while the BvaultsStrategy's withdraw logic assumes the withdrawn amount is denominated in ibBUSD." "Starting at 10:36:20 AM +UTC, May 16, 2021, BearnFi’s BvaultsBank contract was exploited and approximately $18M funds were drained from the pool."

 

"(1) Borrow a flashloan from CREAM with 7,804,239.111784605253208456 BUSD, which is returned at the last step with necessary fee to cover the flash loan cost. (2) Deposit the borrowed funds into BvaultsBank, which are immediately sent to the associated BvaultsStrategy strategy, then to Alpaca Vault for yield. Due to the above deposit, the Alpaca Vault mints 7,598,066.589501626344403426 ibBUSD back to BvaultsStrategy. (3) Farm with the received 7,598,066.589501626344403426 ibBUSD via the Alpaca FairLaunch. (4) Withdraws the 7,804,239.111784605253208533 BUSD from BvaultsBank, which is interpreted as withdrawing 7,804,239.111784605253208533 ibBUSD, the equivalent of 8,016,006.09792806917101481 BUSD. (5) In the next round, the user still deposits 7,804,239.111784605253208533 BUSD into BvaultsBank, cascadingly to BvaultsStrategy. But with the previous leftover from the last round, BvaultsStrategy credits the user with 8,016,006.09792806917101481 BUSD, which is used for yield again via Alpaca. (6) Repeat the above steps to continue accumulating the credit and finally exits by draining the pool. (7) Return the flash loan with 7,806,580.383518140634784418 BUSD."

 

"10,859,319 BUSD were stolen by the intruder directly from the BUSD vault protocol. This amount is utterly unrecoverable because the culprit already transferred the funds to another network using a bridge service." "In addition to the above, a further amount of 7,079,929 BUSD in exploited funds has been withdrawn by 65 user wallets recorded. Users withdrew extra funds during the brief moment of attack before the team could swiftly disable the interface. In addition to this, some users have also called the emergencyWithdraw function to withdraw funds. The actions done by these wallets have severely increased upon the initial damage done by the intruder. They are adding up to a total of about ~18 million dollars."

 

"[O]nly the single stake BUSD bVault using Alpaca as the source strategy was affected. [Other] bVaults [were not impacted], nor any other pools in [their] platform." "As a commitment to security and risk management, any and all new bVaults from today onwards will have a deposit limit cap implemented until a full audit is performed and passed upon the utilized strategy."

 

"[T]he team has expanded more on the exploit and has come forward to say they do not possess the financial capabilities to cover the loss. However, plans including the use of the Dao Funds, personnel salaries, and operation funds have been initiated." "bEarnFi released a rough compensation plan, which will create a compensation fund, which will consist of the remaining savings funds, development funds, DAO funds, and part of the expenses incurred by the agreement. After that, a snapshot of the balance will be taken to deploy compensation contracts. Affected users will receive an additional 5% of their deposit amount."

 

"[T]he first phase of the compensation plan [has been completed], which allowed affected users to connect to the platform and claim a balance." "In addition to this, [affected users] will be pleased to hear that [they] will also be moving forward with Phase 2 of compensation."

 

"We will continue providing support by means of all of our social channels to ensure the benefit of all our users. Many actions have been taken into account to deliver the best compensation plan for both you and the ecosystem to push forward and keep growing stronger together! The darkest time of the crushing market has passed, and this is the time we will unite as a community to achieve greater things than we have ever done before."

The BEarnFi BVaults had an exploit where the withdrawal was denominated in the wrong currency. This was exploited by an attacker to drain one of the liquidity pools. Some additional damage was done as others also tried to withdraw at the wrong rate.

HOW COULD THIS HAVE BEEN PREVENTED?

It's impossible to obtain certainty that smart contracts are error-free.

 

The most secure method of storage for crypto-assets is offline multi-signature storage, where human beings handle the larger withdrawals.

 

Check Our Framework For Safe Secure Exchange Platforms

Rekt - bEarn - REKT (Jun 20)
Address 0x47f341d896b08daacb344d9021f955247e50d089 | BscScan (Jun 20)
Profits from raiding Binance Smart Chain dapps in May (Jun 20)
SlowMist Hacked - SlowMist Zone (May 18)
bEarn.Fi - Cross-chain Auto Yield Farming (Jul 11)
Introducing bVaults. Dear bEarn community, | by BEARNDAO | Medium (Jul 11)
@BearnFi Twitter (Jul 11)
@BearnFi Twitter (Jul 11)
@BearnFi Twitter (Jul 11)
@BearnFi Twitter (Jul 11)
@BearnFi Twitter (Jul 11)
@BearnFi Twitter (Jul 11)
@BearnFi Twitter (Jul 11)
@news_of_bsc Twitter (Jul 11)
@BearnFi Twitter (Jul 11)
bVaults’ BUSD Alpaca Strategy Exploit Post-Mortem and bEarn’s Compensation Plan | by BEARNDAO | Medium (Jul 11)
bEarn.Fi Continues to Build Despite Stark Binance Smart Chain Correction (Jul 11)
bEarn’s BUSD Vault compensation progress: Phase 2 | by BEARNDAO | Medium (Jul 11)
BEARN FI MONTHLY REVIEW — JUNE 2021 | by BEARNDAO | Medium (Jul 11)
BVAULTS HOW, WHY, AND WHAT FULL TUTORIAL! EASIEST WAY TO GENERATE PASSIVE INCOME ON DEFI | BEARN.FI - YouTube (Jul 11)
BVaults | BEarn.fi Wiki | Fandom (Jul 11)
Bearn.fi Overview | Earn Over 1 % Apy a day with Bvaults | 100 Million TVL in Bvaults alone ! - YouTube (Jul 11)
bVaults’ BUSD Alpaca Strategy Exploit Post-Mortem and bEarn’s Compensation Plan | - YouTube (Jul 11)
blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 11)
Bearn Fi Incident Inconsistent Asset Denomination Between Vault Strategy (Aug 11)
Rekt - bEarn - REKT (Aug 11)
security/2021-05-16-BearnFi.md at master · OriginProtocol/security · GitHub (Aug 11)
CertiK Blockchain Security Leaderboard (Jun 1)
https://mobile.twitter.com/certik_io/status/1367790089124872198 (Jan 10)
https://www.coursehero.com/file/166498199/bVaults-Comp-Plan-Explanationdocx/ (Nov 8)

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.