Eleven Finance Logic Exploit
Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
An Eleven Finance smart contract which had not been audited had an exploit.
An attacker used this error to withdraw more funds than they should have been able to, and drain liquidity pools.
They later returned the funds.
This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12][13][14]
About Eleven Finance
"Eleven Finance is a platform empowering high APY vaults in the Binance Smart Chain ecosystem. Our platform with a focus on being fast moving and community will offer a dynamic and broad range of vaults to provide our users with optimised yield strategies."
"As the Decentralised Finance (defi) world grows, the search for the best yield grows with it." "Our vaults will initially utilise liquidity provider tokens from the ecosystems most popular exchange, Pancakeswap.finance. As further opportunities for yield present themselves in the BSC ecosystem our vaults will adapt to take advantage of these. Users staking these tokens in our vaults will be able to take advantage of our yield optimisation strategies and enjoy fantastic returns."
Their "lending bank was audited by Solidity Finance", however that's a different smart contract.
"On June 22, 2021 Eleven Finance withdrawal logic vulnerability was exploited which resulted in the theft of $4.5M."
A "malicious exploiter found a way to abuse one small subset of vaults and successfully drained all their funds." "Upon analysis the cause of the exploit was developer oversight. The emergencyBurn() function not burning shares allowed the attacker to execute this attack." "A hacker exploited the logic error in the "emergencyBurn()" function in the "ElevenNeverSellVault" contract. The error allows the attacker to withdraw more Nerve tokens from the contract than it supposes to, and the attacker enlarges the profit with the assist of flash loans."
"This has resulted in a 100% loss of funds from these vaults, totalling around $4.5 million USD." "[A]pproximately $4.8M in deposited funds were stolen, which accounted for approximately 4% of TVL at the time of the exploit. Drained vaults were nrvBTC, nrvETH, 3nrv, nrvUST, nrvfUSDT, and bfUSD."
"Bigfoot.eleven.finance has been taken down to ensure lenders won’t lend more funds to bfUSD, that bank with uses an affected NRV vault. We are researching the potential to recover some number of funds from here."
"After a few days of hard work and an extremely complex process of pausing/unpausing contracts, liquidating all positions and intercepting the funds before anyone could drain them again, we managed to recover them all." "In short, everyone recovered their leveraged farming position with 0% liquidation fee and we intercepted all borrowed funds for a total of extra $260,000."
"We have been collaborating and exchanging information with ImpossibleFin, Peckshield and others in the space. They have been doing an amazing job, we can’t comment too much on the specifics but can say their are potential suspects and ongoing local police reports and legal prosecution underway in order to recover as many funds as possible."
"To date, all team profits have been aggressively reinvested in: salaries, development, high profile audits and partnerships. Because of this, team funds were running low when everything happened." "[E]ven with our limited resources, we want to try and achieve full compensation while still achieving our ambitious goals. After a lot of internal debating on best solutions we think we have found the most optimal plan moving forward."
"The majority of exploited funds were in USD, so we will snapshot the value at the time of exploit and consider the exploited funds as USD for everyone." "We are going to refund 25% instantly to everyone affected in the exploit ($1.2M). We don’t have these funds, and to achieve this, the team will contract personal debt from a kind investor who is willing to lend out funds to make it possible." "For that, since there is $512K in the Compensation Fund already, we need to invest $688K to make it $1.2M in total. This funds will be paid directly from platform fees and team allocations."
"We as a team take full responsibility for the exploit and funds lost." "Given our limited resources, we had to be as creative as possible." "If we reach all our future plans (more on that later), we estimate team should recover debt in less than 3 months. For obvious reasons, a minimal emergency fund for developing and securing the platform will be still held in treasury." "Eleven needs to keep growing with a sustainable ecosystem and keep delivering its roadmap. Only then, the impact of recovering funds will be small enough for the protocol to absorb it successfully."
"A “Recovery Vault” (RV) will be created. It will be a storage vault that keeps accumulating ELE from different sources constantly until compensation is fully reached. 3.6M of “11RV” tokens will be minted. The quantity of tokens represent the value of the $3.6M funds to be recovered. 11RV is a fully compliant ERC-20 token (more on this below). All 11RV tokens will be staked in the vault and then distributed to every affected user proportionally to how much they had at the exact moment of the exploit. It will be easy on Recovery Vault UI to track the current value of your 11RV token. The final goal is that one 11RV = $1. Everyone is free to withdraw their staked tokens whenever they want. User who exits will burn all his 11RV and receive his proportional share of the current total compensation funds." "[S]ince 11RV is a fully compliant ERC-20 token, it can be traded and exchanged."
"From now on, every new strategy we create, will be instantly sent for auditing before its released. Also, if a strategy doesn’t improve too much by adding overly complicated features, it shouldn’t be worth it. Less is more in this case." Since the exploint, Eleven Finance requested and obtained an audit from CertiK.
"Some of the funds were returned after an unknown action by BSC team." "[T]he guy who exploited consecutively Impossible Finance and Eleven Finance sent back what he took." "Surprisingly, 48 hours after the exploit, 849.2 BNB was sent back to original Eleven deployer address by a self-proclaimed whitehat hacker. This deployer address was not the current one but we quickly moved the funds to the new one to secure the funds. Whoever was involved in this, we are thankful as for a project of our dimensions every little bit helps."
This is a global/international case not involving a specific country.
The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
Include:
- Known history of when and how the service was started.
- What problems does the company or service claim to solve?
- What marketing materials were used by the firm or business?
- Audits performed, and excerpts that may have been included.
- Business registration documents shown (fake or legitimate).
- How were people recruited to participate?
- Public warnings and announcements prior to the event.
Don't Include:
- Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
- Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| June 22nd, 2021 | Main Event | Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. |
Technical Details
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?
Total Amount Lost
The total amount lost has been estimated at $4,800,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
General Prevention Policies
Funds were stored online (in a smart contract hot wallet) and there was no oversight/validation on withdrawals. The team did not have any funds available to handle this situation.
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ CertiK Blockchain Security Leaderboard (Jun 1, 2021)
- ↑ No Title (Jul 24, 2021)
- ↑ Eleven Finance Incident Root Cause Analysis (Jul 24, 2021)
- ↑ Rekt - Eleven Finance - REKT (Jul 24, 2021)
- ↑ @johndoughbull Twitter (Jul 24, 2021)
- ↑ blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 11, 2021)
- ↑ Analysis of the lightning loan attack on the machine gun pool related to Nerve in Eleven Finance | by Knownsec Blockchain Lab | Medium (Aug 11, 2021)
- ↑ Vault ELEVEN.FINANCE (Aug 14, 2021)
- ↑ CertiK Security Leaderboard - Eleven Finance (Aug 14, 2021)
- ↑ Introduction - Eleven Finance (Aug 15, 2021)
- ↑ Eleven Finance Nrv Vault Exploit And Loss Of Funds A Post Mortem (Aug 15, 2021)
- ↑ Eleven Finance Recovery Plan (Aug 15, 2021)
- ↑ Binance Transaction Hash (Txhash) Details | BscScan (Aug 15, 2021)
- ↑ Eleven Finance price today, ELE live marketcap, chart, and info | CoinMarketCap (Aug 15, 2021)