Vesper Finance Oracle Attack

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 12:06, 4 May 2023 by Azoundria (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Vesper Finance

Vesper Finance offers a number of liquidity protocols, targeted to be simpler for newer users to the DeFi space. All their offerings are audited. One of their newer liquidity pools (in beta) had an oracle vulnerability in the smart contract hot wallet, which was exploited. The attacker used tornado cash and was able to make off with the funds. After initially shutting down the smart contract, the contract was later brought back online. It's unclear if affected users were fully compensated, though the team stated their intention to make everything right.

This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12]

About Vesper Finance

"DeFi, Simplified. Choose your pool, deposit your crypto, and let Vesper put DeFi to work for you."

"Vesper provides a platform for easy-to-use Decentralized Finance (DeFi) products." "At launch, Vesper offers a variety of interest-yielding "Grow Pools" that enable users to passively increase their crypto holdings by simply selecting the desired aggressiveness of their strategy and the digital asset held. The Vesper Grow Pools represent the first product on the Vesper platform. More will be developed and presented over time."

"VSP incentivizes participation, facilitates governance, and catalyzes user contribution. Users earn VSP through pool participation and, later, participating in Vesper's continuous improvement." "Vesper is building a user community that sustains and grows the product portfolio, facilitates progressive decentralization, and enables users to build new products while earning a share of that product's fees."

"Vesper's DeFi products deliver ease-of-use in achieving your crypto-finance objectives. The Vesper token (VSP) is the core economic engine that facilitates the building and expansion of Vesper’s capabilities and its community."

"The primary risk faced by Vesper pools is a 'black swan' event, where a pool's underlying asset sees a rapid flash crash. In extreme cases, the debtor will not be able to modify their loan fast enough to avoid liquidation. This is a broader risk that affects DeFi lending protocols as a whole." "In the worst case scenario, a partial liquidation is enforced by the lending protocol. For example, Maker currently carries a 13% fee on the capital liquidated. This would reflect a loss to pool participants." "This risk is further mitigated by the stablecoin offerings. There is no 'volatility' risk with stablecoins apart from the doomsday scenario in which they lose their peg. Such an event would be wholly unrelated to the Vesper ecosystem."

"All Vesper strategies went through two rounds of independent audits. All further contracts, both team and community developed, will additionally go through auditing before they are pushed to Mainnet. More information about Vesper audits can be found in our Gitbook." "All Vesper Holding pools are assigned a “risk factor” that reflects the number and complexity of contract interactions, collateralization rates, and security of protocols interacted with. Qualitatively, each pool’s risk factor is scored as “Conservative” or “Aggressive.”"

"Initially, the total supply of VSP is 10 million. The mint function is timelocked for 12 months. This protects from any drastic tokenomic changes until the token has adequately circulated and governance is 100% community owned. Token holders alone will make these decisions for themselves. Learn more about the timelock and other Vesper features." "Vesper’s governance is an progressive process that ultimately transfers 100% ownership and control to VSP holders. Recognizing shortcomings of “Day-1-DAOs” before Vesper, this strategy reserves appropriate controls to the team until the community and token has matured and is prepared to govern itself. Read more about Vesper governance principles and timeline." "Both VUSD and pool #23 are beta."

"Vesper Finance suffered an oracle manipulation attack." "2021-11-02-1400ET -- At about 2:00 p.m. UTC, an attacker created a Uniswap LP position on VUSD. As VUSD is a low-liquidity token (a stablecoin project in beta), the attacker was able to manipulate the price outside of its price band."

"An attacker created a Uniswap LP position on VUSD. As VUSD is a low-liquidity token, the attacker was able to manipulate and raise the VUSD price. This enabled it to come to the Rari Fuse pool #23 (“Vesper Lend Beta”) with inflated collateral, which was used to borrow all of the tokens from that pool."

"All tokens in that pool were then swapped for ETH, netting the attacker over $3 million."

"As a first step, the attacker got 100 ETH from tornado.cash, so as to ensure privacy. They then swapped 58 ETH for USDC. Using this USDC, they purchased all available VUSD on Uniswap v3 0.05% fee tier, pushing that market out-of-range. They then created a new LP position of 0.1 USDC marked at a price of trillions of VUSD per USDC. The Uniswap v3 oracle therefore reported a price in the trillions for the 0.05% fee range. The Rari lending market received the VUSD price using the price feed from the Uniswap v3 oracle and valued VUSD collateral at a price of “infinity.” The attacker provided the purchased VUSD as collateral to Vesper Lend, which essentially gave them “infinite” collateral to borrow all available assets. The attacker used the VUSD collateral to borrow roughly 3.5 million in miscellaneous assets. 735 ETH accrued."

"As of this evening U.S. time, here’s how the aftermath of the exploit looks like for different users:"

"Vesper Lend beta (Rari Fuse Pool #23): Users will see a higher APY across all tokens because of the debt taken on by the exploiter. However, vVSP holders will not be able to withdraw until more liquidity becomes available. For those who do want to withdraw, this will open up over the next few weeks — liquidity will slowly open up as the narrow channel of supply widens to meet the flow of demand."

"Vesper Grow (Aggressive): Funds are SAFU. Aggressive pools used Rari Fuse Pool #23 partially as a yield source. Users will also see a slightly higher APY here."

"Vesper Earn (Beta): Funds are SAFU. Similarly, users will see a slight APY bump. Vesper Earn uses the Vesper Aggressive DAI Pool as a yield source, which in turn used Rari Fuse Pool #23."

"Vesper Grow (Conservative): Funds are SAFU. These users are not affected, as no Conservative Grow pools used Rari Fuse Pool #23 as a yield source."

"VUSD Holders: Funds are SAFU. VUSD price was manipulated upward, but the collateral system remains solvent."

"As soon as the community and VBC team became aware of the issue, it [c]oordinated with Rari Capital, Yearn, and Uniswap to assess the situation and determine solutions, [p]aused borrowing of VUSD and vVSP on #23, [s]et VUSD’s collateral factor to “zero.”, [and p]aused all other activity to focus on addressing this exploit." "The team is continuing to investigate the full impact of this exploit, working closely with Rari, Yearn, and Uniswap."

"The VBC and Rari teams continue to work together to assess any users who were liquidated due to the price manipulation attack. Now that VUSD price is restored, the next step is turning liquidations back on, and getting the attacker off the platform. Then the market will be ok and safe to use again (still at beta risk level)."

"It is our hope that we can make everybody whole, but we cannot make this promise, until we have done a full and complete accounting, which may stretch into early next week. Some VVSP liquidity has already returned — You’re getting a great APY right now! — which means that others can start to withdraw their VVSP."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Vesper Finance Oracle Attack
Date Event Description
November 2nd, 2021 7:59:59 AM MDT Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

The total amount lost has been estimated at $3,370,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

General Prevention Policies

It's unclear what level of auditing was performed on the smart contract in question. We recommend at least two independent audits. In order to fully protect losses, the majority of funds should be stored offline in multi-signature wallets held by trained and reputable individuals, with the remaining "hot" funds protected by a self-insurance treasury, comprehensive smart contract insurance, and/or an industry insurance fund. In this way, investors are fully protected.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. https://blog.insurace.io/security-incidents-in-november-e4bcb39dd7f9 (Feb 1, 2022)
  2. On The Vesper Lend Beta Rari Fuse Pool 23 Exploit (Feb 6, 2022)
  3. https://etherscan.io/tx/0x89d0ae4dc1743598a540c4e33917efdce24338723b0fabf34813b79cb0ecf4c5 (Feb 7, 2022)
  4. Introduction - Vesper Documentation (Feb 7, 2022)
  5. Discussion of Risk - Vesper Documentation (Feb 7, 2022)
  6. https://vesper.finance/security/ (Feb 7, 2022)
  7. @VesperFi Twitter (Feb 7, 2022)
  8. https://etherscan.io/tx/0x8527fea51233974a431c92c4d3c58dee118b05a3140a04e0f95147df9faf8092 (Feb 7, 2022)
  9. https://etherscan.io/address/0xa3f447feb0b2bddc50a44ccd6f412a5f98619264 (Feb 7, 2022)
  10. https://coinmarketcap.com/currencies/ethereum/historical-data/ (Dec 21, 2021)
  11. https://m.facebook.com/hackposts/posts/116761580474021 (Feb 12, 2022)
  12. @VesperFi Twitter (Feb 12, 2022)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Vesper_Finance_Oracle_Attack&oldid=4281"