Iron Finance Burned
Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Iron Finance offered a new form of stablecoin which took a hybrid approach.
A couple of liquidity pools on the platform were used to exchange between their "Iron" token and SIL or BUSD. These pools were breached.
The project appears to have made an effort to reimburse affected users in full.
This is a global/international case not involving a specific country. [1][2][3][4][5][6][7][8][9][10][11][12][13][14]
About Iron Finance
Iron Finance offers "a Partially-collateralized Stablecoin on the Binance Smart Chain". The iron token is "pegged to $1, partly backed by collateral like BUSD, and partially backed by STEEL. The collateralized ratio (CR), which is the collateralized and algorithmic ratio, depends on the market pricing of IRON. If the market demand for IRON is high, the system can be de-collateralized by decreasing the CR vis-a-vis when the demand is decreased."
"The latest decentralized finance protocol to get exploited is Iron Finance. The platform lost $170,000 from its liquidity pools following erroneous actions by the team." "Two vFarm liquidity pools (50% IRON—50% SIL pool; 50% IRON—50% BUSD pool) lost a total of 170,000 US dollars. Later, the official publication of the incident stated that: 1. The cause of the attack was due to the upgrade of the cloud service (FaaS) and the change in the reward rate integer, but the official team was not aware of the problem. Later, an attacker made a profit of 170,000 U.S. dollars by selling all the local token SIL rewards. 2. The Iron Finance smart contract has no loopholes. 3. vFarms will be restarted on March 18th, and SIL tokens will be restarted to sIRON. 4. Users should not sell or exchange IRON tokens for the time being. When the new pool is restarted, the full amount of BUSD can be redeemed. The Iron Finance agreement was launched on the BSC in early March. The IRON stablecoin is pegged to the U.S. dollar, partly backed by collateral such as BUSD and USDT, and partly backed by the SIL algorithm."
As explained by Value DeFi: "There has been an upgrade on FaaS, in which the reward rate is in normal integer instead of Ggwei as before. Unfortunately, Iron.Finance team was unware of the change and updated Iron vFarm pools with reward rate in Gwei. This caused the pools' rewards inflated by 10^18 times."
"Two Iron Finance vFarm pools were recently subject to an incident that resulted in the loss of user deposits." "A user who farmed in these two pools, claimed all SIL rewards allocated for farming over the next 12 months and made a profit of around $170k by selling SIL for BUSD on vSwap." "The bad actor(s) made off with $170,000 worth of its native SIL tokens. These were then sold for BUSD (Binance’s stablecoin) on the markets."
"It explained that vFarms will be relaunched on March 18 and the SIL token will be relaunched as sIRON. Iron Finance also published a document for affected users to enter their details. This is likely to help coordinate a refund process for the new tokens." "If you are an affected user by the Iron Finance vFarms incident (16 March 2021)" "Please fill out the following form. If you had more than 1 address with SIL or IRON, please submit these in separate forms."
This is a global/international case not involving a specific country.
The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
Include:
- Known history of when and how the service was started.
- What problems does the company or service claim to solve?
- What marketing materials were used by the firm or business?
- Audits performed, and excerpts that may have been included.
- Business registration documents shown (fake or legitimate).
- How were people recruited to participate?
- Public warnings and announcements prior to the event.
Don't Include:
- Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
- Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| March 16th, 2021 12:00:00 AM | Main Event | Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. |
Total Amount Lost
The total amount lost has been estimated at $170,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
Prevention Policies
Decentralized smart contracts are essentially hot wallets. It is impossible to prove the security.
If funds can't be stored in an offline multi-signature wallet, then a fund should be available for reimbursement of the full amount.
References
- ↑ SlowMist Hacked - SlowMist Zone (May 17, 2021)
- ↑ Mint and Redeem on Iron Finance - YouTube (May 24, 2021)
- ↑ @IronFinance Twitter (May 24, 2021)
- ↑ Iron Finance DeFi Exploit Explained in Post Mortem (May 25, 2021)
- ↑ Iron Finance DeFi Exploit Explained in Post Mortem - BeInCrypto (May 25, 2021)
- ↑ Iron Finance Vfarms Incident Post Mortem 16 March 2021 (May 25, 2021)
- ↑ Telegram: Contact @ValueDefi_Announcements (May 25, 2021)
- ↑ Address 0x69655181a55755adc854cd35c15995393f63e9e5 | BscScan (May 25, 2021)
- ↑ Iron Finance: The First Partial-Collateralized Stablecoin on Binance Smart Chain (May 25, 2021)
- ↑ Iron The First Partial Collateralized Stablecoin On Binance Smart Chain (May 25, 2021)
- ↑ What is IRON Finance? : IronFinance (May 25, 2021)
- ↑ Iron Finance vFarms incident (16 March 2021) (May 25, 2021)
- ↑ @IronFinance Twitter (May 25, 2021)
- ↑ blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 10, 2021)