EvoDefi Lightning Loan Breach

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

EvoDefi

The EvoDefi project fell victim to a lightning loan attack, which allowed for minting additional GEN tokens, and caused a drop in the price.

It does not appear that there is any mention of the events on the project Twitter currently, though they have deployed a new version of the smart contract a couple days later.

This is a global/international case not involving a specific country.

About EvoDefi

"Evolution project is the first to introduce elastic emission of token per block making the next step in the yield farming industry. It adds powerful layer to tokenomics and strengthens sustainability of the farm. Emission is tied up to…" "Until now modern approach of well known yield farms stood on entry fees, buys back, burns, lotteries and other mechanisms to improve tokenomics viability. Yet is seems to be not enough for most of the farms to remain sustainable."

"According to tweets, on June 10, the EvoDeFi project on the BSC chain was attacked by a lightning loan. KnowChuangYu Blockchain Security Lab was the first to track this event and analyze it."

"Due to a design flaw in the update logic of the function in the MasterChef contract, the part of the reward that needs to be deducted is not updated, which leads to arbitrage by attackers. There are frequent outbreaks of attacks on the BSC chain, and contract security needs to be given sufficient attention."

"Attack Process: Lend 273,360.811 GEN via Pancake Lightning Loan. Transfer all GEN to the subcontract, call the subcontract 0x6ead30df method. Call the deposit function of MasterChef to pledge all GENs. Call MasterChef’s depositNFT function to pledge GenNFT. Call MasterChef’s updatePower function to update, due to a design flaw in the updatePower function, the rewardDebt is not updated. Call MasterChef’s withdraw function to redeem all pledged GENs, due to the update flaw in the previous step, the reward is incremented. Transfer all the profitable GENs back to the attack contract 0x1cb6 via the subcontract transfer function."

"EvoDefi, the project revenue farm on the BSC chain, was attacked, and the price of its token GEN dropped from US$2.1/piece to US$0.9/piece, a short-term drop of 57%. Loss of 455,576.85 GEN worth approximately USD 1 million."

"We have now released Evodefi v2, there will be more networks available, lower handling fees and better liquidity."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

Known history of when and how the service was started.
What problems does the company or service claim to solve?
What marketing materials were used by the firm or business?
Audits performed, and excerpts that may have been included.
Business registration documents shown (fake or legitimate).
How were people recruited to participate?
Public warnings and announcements prior to the event.

Don't Include:

Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

When the service was actually started (if different than the "official story").
Who actually ran a service and their own personal history.
How the service was structured behind the scenes. (For example, there was no "trading bot".)
Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - EvoDefi Lightning Loan Breach
Date	Event	Description
June 10th, 2021 12:00:00 AM	Main Event	Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.

Total Amount Lost

The total amount lost has been estimated at $1,000,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?