BEarnFi BVaults Exploited

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 17:51, 2 May 2023 by Azoundria (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

BEarnFi

The BEarnFi BVaults had an exploit where the withdrawal was denominated in the wrong currency. This was exploited by an attacker to drain one of the liquidity pools. Some additional damage was done as others also tried to withdraw at the wrong rate.

This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22][23][24][25][26][27][28][29][30]

About BEarnFi

"Earn double rewards with your idle assets." "Since the beginning, bEarn has stated a clear vision to become one of the best cross-chain Auto Yield Farming in crypto space." "bEarn.Fi optimizes bDollar rewards through a vault system; vaults serve as investment instruments, implementing procedures through smart contracts. These vaults automate the best yield farming opportunities. Vaults can also perform the following actions: use assets as liquidity, provide assets as collateral for others, manage collateral to reduce odds of liquidation, use assets to generate a yield and compound profits. With the following actions, vaults allow users to automate their De-Fi farming experience completely."

"bVaults offers double rewards with BFI and BDO or even triple (more details to be updated) rewards for LP holders, apart from the high APY on each Vault and the token harvested. A 3% of newly minted BDO during the expansion phase will be sent to reward Vault holders. In comparison, other yield optimizers are currently offering single rewards."

"The incident was due to the improper implementation of the function withdraw(address, uint256 wantAmount)." "The BvaultsBank's withdraw logic assumes the withdrawn amount is denominated in BUSD while the BvaultsStrategy's withdraw logic assumes the withdrawn amount is denominated in ibBUSD." "Starting at 10:36:20 AM +UTC, May 16, 2021, BearnFi’s BvaultsBank contract was exploited and approximately $18M funds were drained from the pool."

"(1) Borrow a flashloan from CREAM with 7,804,239.111784605253208456 BUSD, which is returned at the last step with necessary fee to cover the flash loan cost. (2) Deposit the borrowed funds into BvaultsBank, which are immediately sent to the associated BvaultsStrategy strategy, then to Alpaca Vault for yield. Due to the above deposit, the Alpaca Vault mints 7,598,066.589501626344403426 ibBUSD back to BvaultsStrategy. (3) Farm with the received 7,598,066.589501626344403426 ibBUSD via the Alpaca FairLaunch. (4) Withdraws the 7,804,239.111784605253208533 BUSD from BvaultsBank, which is interpreted as withdrawing 7,804,239.111784605253208533 ibBUSD, the equivalent of 8,016,006.09792806917101481 BUSD. (5) In the next round, the user still deposits 7,804,239.111784605253208533 BUSD into BvaultsBank, cascadingly to BvaultsStrategy. But with the previous leftover from the last round, BvaultsStrategy credits the user with 8,016,006.09792806917101481 BUSD, which is used for yield again via Alpaca. (6) Repeat the above steps to continue accumulating the credit and finally exits by draining the pool. (7) Return the flash loan with 7,806,580.383518140634784418 BUSD."

"10,859,319 BUSD were stolen by the intruder directly from the BUSD vault protocol. This amount is utterly unrecoverable because the culprit already transferred the funds to another network using a bridge service." "In addition to the above, a further amount of 7,079,929 BUSD in exploited funds has been withdrawn by 65 user wallets recorded. Users withdrew extra funds during the brief moment of attack before the team could swiftly disable the interface. In addition to this, some users have also called the emergencyWithdraw function to withdraw funds. The actions done by these wallets have severely increased upon the initial damage done by the intruder. They are adding up to a total of about ~18 million dollars."

"[O]nly the single stake BUSD bVault using Alpaca as the source strategy was affected. [Other] bVaults [were not impacted], nor any other pools in [their] platform." "As a commitment to security and risk management, any and all new bVaults from today onwards will have a deposit limit cap implemented until a full audit is performed and passed upon the utilized strategy."

"[T]he team has expanded more on the exploit and has come forward to say they do not possess the financial capabilities to cover the loss. However, plans including the use of the Dao Funds, personnel salaries, and operation funds have been initiated." "bEarnFi released a rough compensation plan, which will create a compensation fund, which will consist of the remaining savings funds, development funds, DAO funds, and part of the expenses incurred by the agreement. After that, a snapshot of the balance will be taken to deploy compensation contracts. Affected users will receive an additional 5% of their deposit amount."

"[T]he first phase of the compensation plan [has been completed], which allowed affected users to connect to the platform and claim a balance." "In addition to this, [affected users] will be pleased to hear that [they] will also be moving forward with Phase 2 of compensation."

"We will continue providing support by means of all of our social channels to ensure the benefit of all our users. Many actions have been taken into account to deliver the best compensation plan for both you and the ecosystem to push forward and keep growing stronger together! The darkest time of the crushing market has passed, and this is the time we will unite as a community to achieve greater things than we have ever done before."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - BEarnFi BVaults Exploited
Date Event Description
May 16th, 2021 Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

The total amount lost has been estimated at $17,939,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

General Prevention Policies

It's impossible to obtain certainty that smart contracts are error-free.

The most secure method of storage for crypto-assets is offline multi-signature storage, where human beings handle the larger withdrawals.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Rekt - bEarn - REKT (Jun 20, 2021)
  2. Address 0x47f341d896b08daacb344d9021f955247e50d089 | BscScan (Jun 20, 2021)
  3. Profits from raiding Binance Smart Chain dapps in May (Jun 20, 2021)
  4. SlowMist Hacked - SlowMist Zone (May 18, 2021)
  5. bEarn.Fi - Cross-chain Auto Yield Farming (Jul 11, 2021)
  6. Introducing bVaults. Dear bEarn community, | by BEARNDAO | Medium (Jul 11, 2021)
  7. @BearnFi Twitter (Jul 11, 2021)
  8. @BearnFi Twitter (Jul 11, 2021)
  9. @BearnFi Twitter (Jul 11, 2021)
  10. @BearnFi Twitter (Jul 11, 2021)
  11. @BearnFi Twitter (Jul 11, 2021)
  12. @BearnFi Twitter (Jul 11, 2021)
  13. @BearnFi Twitter (Jul 11, 2021)
  14. @news_of_bsc Twitter (Jul 11, 2021)
  15. @BearnFi Twitter (Jul 11, 2021)
  16. bVaults’ BUSD Alpaca Strategy Exploit Post-Mortem and bEarn’s Compensation Plan | by BEARNDAO | Medium (Jul 11, 2021)
  17. bEarn.Fi Continues to Build Despite Stark Binance Smart Chain Correction (Jul 11, 2021)
  18. bEarn’s BUSD Vault compensation progress: Phase 2 | by BEARNDAO | Medium (Jul 11, 2021)
  19. BEARN FI MONTHLY REVIEW — JUNE 2021 | by BEARNDAO | Medium (Jul 11, 2021)
  20. BVAULTS HOW, WHY, AND WHAT FULL TUTORIAL! EASIEST WAY TO GENERATE PASSIVE INCOME ON DEFI | BEARN.FI - YouTube (Jul 11, 2021)
  21. BVaults | BEarn.fi Wiki | Fandom (Jul 11, 2021)
  22. Bearn.fi Overview | Earn Over 1 % Apy a day with Bvaults | 100 Million TVL in Bvaults alone ! - YouTube (Jul 11, 2021)
  23. bVaults’ BUSD Alpaca Strategy Exploit Post-Mortem and bEarn’s Compensation Plan | - YouTube (Jul 11, 2021)
  24. blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 11, 2021)
  25. Bearn Fi Incident Inconsistent Asset Denomination Between Vault Strategy (Aug 11, 2021)
  26. Rekt - bEarn - REKT (Aug 11, 2021)
  27. security/2021-05-16-BearnFi.md at master · OriginProtocol/security · GitHub (Aug 11, 2021)
  28. CertiK Blockchain Security Leaderboard (Jun 1, 2021)
  29. https://mobile.twitter.com/certik_io/status/1367790089124872198 (Jan 10, 2022)
  30. https://www.coursehero.com/file/166498199/bVaults-Comp-Plan-Explanationdocx/ (Nov 8, 2022)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=BEarnFi_BVaults_Exploited&oldid=4033"