Azoundria: Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/vethvirtualtokenlendingmechanismpricelogicerror.php}} {{Unattributed Sources}} Ethereum FoundationvETH is lending contract token with a loan control mechanism which is part of an unknown project on Ethereum. On November 14th, the smart contract was exploited which allowed for cheaper minting of vETH tokens. There is no word on any intended recovery..."

2024-12-20T18:04:18Z

Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/vethvirtualtokenlendingmechanismpricelogicerror.php}} {{Unattributed Sources}} thumb|Ethereum FoundationvETH is lending contract token with a loan control mechanism which is part of an unknown project on Ethereum. On November 14th, the smart contract was exploited which allowed for cheaper minting of vETH tokens. There is no word on any intended recovery..."

New page

{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/vethvirtualtokenlendingmechanismpricelogicerror.php}}
{{Unattributed Sources}}

[[File:Ethereumfoundation.jpg|thumb|Ethereum Foundation]]vETH is lending contract token with a loan control mechanism which is part of an unknown project on Ethereum. On November 14th, the smart contract was exploited which allowed for cheaper minting of vETH tokens. There is no word on any intended recovery of the funds or reimbursment for affected users.<ref name="slowmistteamtwitter-17008" /><ref name="etherscan-17009" /><ref name="etherscan-17010" /><ref name="etherscan-17011" /><ref name="coinmonksmedium-17012" /><ref name="etherscan-17013" /><ref name="chaincatcher-17014" /><ref name="peckshieldalerttwitter-17015" /><ref name="surferstevetwitter-17016" /><ref name="etherscan-17017" /><ref name="solidityscanblog-17018" />

== About VirtualToken ==
"The vETH token (VirtualToken) is an ERC-20 token designed to facilitate token lending, wrapping, and unwrapping functionalities. It features a controlled loan mechanism, allowing only authorized factory contracts to call its takeLoanfunction and manage user debt. The token also integrates access control through a whitelist and factory mechanism, ensuring that interactions are limited to approved entities."

== The Reality ==
This sections is included if a case involved deception or information that was unknown at the time. Examples include:

* When the service was actually started (if different than the "official story").
* Who actually ran a service and their own personal history.
* How the service was structured behind the scenes. (For example, there was no "trading bot".)
* Details of what audits reported and how vulnerabilities were missed during auditing.

== What Happened ==
"The vETH token suffered an attack, resulting in approximately $450K in losses." "On November 14, 2024, the vETH token was exploited due to a business logic error in its lending mechanism. This exploit resulted in a loss of approximately $450k USD."
{| class="wikitable"
|+Key Event Timeline - vETH VirtualToken Lending Mechanism Price Logic Error
!Date
!Event
!Description
|-
|October 27th, 2024 3:08:11 AM MDT
|VirtualToken Created
|The VirtualToken smart contract is first created/launched on the Ethereum smart chain.
|-
|November 14th, 2024 12:37:47 AM MST
|Loading Exploiter Wallet With Ethereum
|Exploiter transfers some ethereum to their wallet for use with the exploit.
|-
|November 14th, 2024 1:35:47 AM MST
|Attack Transaction
|One of the attack transactions, according to Coinmonks.
|-
|November 14th, 2024 1:36:59 AM MST
|Attack Transaction
|One of the attack transactions, according to Coinmonks.
|-
|November 14th, 2024 1:39:23 AM MST
|Attack Transaction
|One of the attack transactions, according to Coinmonks.
|-
|November 14th, 2024 1:56:59 AM MST
|Exploit Transaction
|The price manipulation exploit occurs on the Ethereum smart chain.
|-
|November 14th, 2024 2:10:00 AM MST
|SlowMist Posts Tweet
|SlowMist posts a tweet about the suspicious activity on the vETH token/protocol.
|}

== Technical Details ==
"The attack targeted interactions between the vETH token’s takeLoan function and a liquidity-adding function in the Factory contract, which manipulates the state of Uniswap pairs. The attacker leveraged this flaw to acquire vETH tokens without incurring the intended cost."

"The root cause of the hack was a flawed interaction between the takeLoan function in the vETH contract and the liquidity-adding function in the Factory contract. This function allowed state manipulation of Uniswap pools, enabling the attacker to inflate the pool's constant product and mint vETH without proper cost."

== Total Amount Lost ==
The total amount lost has been estimated at $450,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

== Immediate Reactions ==
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

== Ultimate Outcome ==
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

== Total Amount Recovered ==
There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

== Ongoing Developments ==
What parts of this case are still remaining to be concluded?
== Individual Prevention Policies ==
{{Prevention:Individuals:Placeholder}}

{{Prevention:Individuals:End}}

== Platform Prevention Policies ==
{{Prevention:Platforms:Placeholder}}

{{Prevention:Platforms:End}}

== Regulatory Prevention Policies ==
{{Prevention:Regulators:Placeholder}}

{{Prevention:Regulators:End}}

== References ==
<references><ref name="slowmistteamtwitter-17008">[https://twitter.com/SlowMist_Team/status/1856987988632457708 @SlowMist_Team Twitter] (Accessed Dec 13, 2024)</ref>

<ref name="etherscan-17009">[https://etherscan.io/tx/0x678d52842fb5dcc5246cff2e262182df0da22bb0f98880b0e47fb2adb2c41e4f Ethereum Transaction Hash (Txhash) Details | Etherscan] (Accessed Dec 13, 2024)</ref>

<ref name="etherscan-17010">[https://etherscan.io/tx/0x51e9313c1b2f44198a491939a23fd1c90d37f3ea1e4346268abc437497888144 Ethereum Transaction Hash (Txhash) Details | Etherscan] (Accessed Dec 13, 2024)</ref>

<ref name="etherscan-17011">[https://etherscan.io/tx/0x064e35562dc4bbf724ad50cdc6ab8dea5f1e055ce185f46667680cce2df81777 Ethereum Transaction Hash (Txhash) Details | Etherscan] (Accessed Dec 13, 2024)</ref>

<ref name="coinmonksmedium-17012">[https://medium.com/coinmonks/decoding-veth-tokens-450k-exploit-3a2133166ab4 Decoding Veth Tokens 450k Exploit] (Accessed Dec 16, 2024)</ref>

<ref name="etherscan-17013">[https://etherscan.io/tx/0x900891b4540cac8443d6802a08a7a0562b5320444aa6d8eed19705ea6fb9710b Ethereum Transaction Hash (Txhash) Details | Etherscan] (Accessed Dec 16, 2024)</ref>

<ref name="chaincatcher-17014">[https://www.chaincatcher.com/en/article/2152017 Slow Fog: Suspicious activity related to vETH detected, users remain vigilant - ChainCatcher] (Accessed Dec 16, 2024)</ref>

<ref name="peckshieldalerttwitter-17015">[https://twitter.com/PeckShieldAlert/status/1856992380034945071 @PeckShieldAlert Twitter] (Accessed Dec 16, 2024)</ref>

<ref name="surferstevetwitter-17016">[https://twitter.com/surfer_steve_/status/1855628598348075146 @surfer_steve_ Twitter] (Accessed Dec 16, 2024)</ref>

<ref name="etherscan-17017">[https://etherscan.io/token/0x280a8955a11fcd81d72ba1f99d265a48ce39ac2e ERC-20: vETH (vETH) Token Tracker | Etherscan] (Accessed Dec 16, 2024)</ref>

<ref name="solidityscanblog-17018">[https://blog.solidityscan.com/veth-token-hack-analysis-828f6b8f5fd7 vETH Token Hack Analysis. Overview: | by Shashank | Nov, 2024 | SolidityScan] (Accessed Dec 16, 2024)</ref></references>

VETH VirtualToken Lending Mechanism Price Logic Error - Revision history