$12 000 USD

JUNE 2022




"Whale Loans​ is a venture focused on designing a scalable and defendable ecosystem that removes the complexity in and around DeFi and distributes value to its users. In layman’s terms, we are creating an “easy button” for a better user experience."


"​Whale Loans will be introducing several products for stablecoins so that users can earn attractive yields without committing to long lockup periods, allowing anyone to become a whale. Our ecosystem will bring additional value to the token beyond the traditional rebase token strategies. For further information on the token, see the tokenomics."


On June 20, 2022 Whale Loans lost $12K due to incorrectly calculating swap reward amount.


"On 20 June, Whale Finance experienced two separate exploits on the project's stablecoin AMM contracts, which has led to ~$12k in losses. The attacker called the swap() function from the USDT/BUSD pool which had a vulnerability, which was primarily caused by an incorrect k invariant calculation when the swap pair is a stablecoin."


"The attacker called the function swap() from the Stable AMM -USDT/BUSD contract. The input amount of USDT(BSC-USD) is 5964, which is the balance of the USDT in the Stable AMM -USDT/BUSD contract. The attacker sent back 0.6 USDT to the Stable AMM -USDT/BUSD contact. After the fee adjustment, the balance0Adjusted = 6022457770012534500304, IN3 and the balance1Adjusted = 59471946427871433983220000, which means the k invariant value is 1266806331900666880877818210684878792429048115. However, the reserve0 and reserve1 are 59646190399283805000316 and 5947194642787143398322 respectively. Their corresponding k invariant value is 2516642811824473716920890881639825. If it is multiplied by 10000**2 = 100_000_000, the result is still less than the k invariant given by the balance0Adjusted and balance1Adjusted. In this case, the k invariant validation was bypassed."


"Therefore, the Stable AMM - USDT/BUSD contract transferred the 5964 USDT to the attacker successfully. Similarly, the attacker called the function swap() twice to swap the BUSD with input amount 5947 and 62 of BUSD, respectively. Due to the same vulnerability, the Stable AMM -USDT/BUSD contract transferred 5947 and 62 BUSD to the attacker directly. The attacker applied the same strategy to the Stable AMM-USDC/BUSD with 232 USDC and 232 BUSD as profit. In total, the attacker made a profit of $12K."


"On the projects Discord, @coj337 who is the servers admin stated that due to the exploit, Whale.Finance has taken down the DEX whilst the vulnerability is being assessed. It has also been announced that no customer funds were lost due to the exploit."

Whale Loans aimed to simplify the decentralized finance experience for users. One service allowed users to swap easily between USDT (Tether) and BUSD (Binance's stablecoin). Unfortunately, this smart contract was vulnerable due to incorrectly calculating the swap reward amount. In total, the attacker profited $12k. It is not clear if users of the project were reimbursed. The project appears to be offline presently.

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.