Anzen Finance Smart Contract Decimal Vulnerability

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Anzen Finance Logo/Homepage

Anzen Finance offers a stablecoin which is backed by real-world assets. The protocol was launched on Ethereum, Base, and Blast. A decimal issue in the Blast version of the smart contract was able to be exploited and the exploiter profited 500k USDC through the exploit. An agreement was reached where 450k was returned in exchange for the remaining 50k being treated as a bug bounty. The protocol continued operating with minimal disruption to the price and without releasing a full post-mortem explaining the exact issue which occurred.[1][2][3][4][5][6][7][8]

About Anzen Finance

"USDz: RWA-backed Stablecoin Backed by institutional grade real world assets"

"USDz is backed by a diversified portfolio of private credit assets. These assets have special traits that protect the investor, like collateral (real assets that can be sold to cover investors' funds) and covenants (rules that tell the borrower what they can or can't do)."

"USDz is fully composable, ensuring seamless integration and functionality across the entire crypto ecosystem. Easily participate in DeFi protocols, trade on decentralized exchanges, and use it for payments, benefiting from its stability and widespread acceptance."

"Staking is available across the largest DeFi platforms, offering attractive opportunities to earn rewards. This allows holders to optimize their portfolio and benefit from the security of a stablecoin with less volatility than speculative tokens."

"Anzen is a decentralized platform providing access to USDz, which is a digital token backed by a diversified portfolio of private credit assets.

Anzen carefully secures these cash-flowing assets alongside qualified KYC-compliant investors through rigorous underwriting. These assets are typically associated with reliable revenue streams and are expected to maintain their value even during periods of cryptocurrency market volatility.

By staking USDz tokens to obtain sUSDz, DeFi users have the chance to earn sustainable rewards and diversify their portfolios. This allows USDz holders to shield themselves from the price fluctuations and volatility of unbacked crypto tokens."

"Operations related to the issuance and redemption of USDz are recorded transparently on the blockchain. This allows users to verify the solvency of USDz at any time, providing clear visibility into the health of its reserves."

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Anzen Finance Smart Contract Decimal Vulnerability
Date Event Description
July 30th, 2024 9:44:27 AM MDT Attack Against Contract The reported time of the attack, based on Anzen Finance.
July 30th, 2024 10:43:15 AM MDT Attacker Gets USDC Funds The attacker is able to obtain their funds as USDC.
July 30th, 2024 12:01:35 PM MDT Funds Returned By Hacker 450k worth of the funds are returned by the attacker. The remaining 50k are considered to be a bounty.

Technical Details

The issue was related to decimals and only affected the Blast chain. Details have not been provided.

Total Amount Lost

$500k USD was lost.

The total amount lost has been estimated at $500,000 USD.

Immediate Reactions

"Anzen Finance, the issuer of RWA stablecoins, announced on the X platform that on July 30, due to an error in the Blast vault contract, a white hat hacker exploited the vault to steal 500,000 USDz. The white hat returned $450,000 in a timely manner and received a $50,000 bounty as a reward."

"At Jul-30-2024 03:44:27 PM +UTC the Blast vault was exploited by a whitehat hacker for 500k USDz due to an error in our Blast vault contract. The funds have been returned. The contract error will be corrected prior to refreshing the vault limit on Blast. All other vaults are safe to use.

Upon seeing the transactions on Blast, Anzen immediately purchased 500k USDz to mitigate any sell pressure. The price impact was negligble.

Thanks to the community, we contacted the whitehat hacker who returned the funds promptly. They received a 50k bounty for spotting the error in our Blast vault contract. This is the transaction in which they sent 450k USDC back into the treasury.

We are undergoing a rapid period of growth and would like to thank you for your patience and understanding. If there are any concerns, please reach out to the team through our support channels."

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

A bounty of $50,000 USD was paid for the discovery.

Total Amount Recovered

The protocol immediately supplied liquidity to resolve the price discrepancy.

$450k was recovered from the exploiter.

The total amount recovered has been estimated at $450,000 USD.

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. @AnzenFinance Twitter (Accessed Aug 13, 2024)
  2. Base Transaction Hash (Txhash) Details | BaseScan (Accessed Aug 13, 2024)
  3. Base Transaction Hash (Txhash) Details | BaseScan (Accessed Aug 13, 2024)
  4. @yieldsandmore Twitter (Accessed Aug 13, 2024)
  5. Anzen (Accessed Aug 13, 2024)
  6. Introduction | Anzen Finance (Accessed Aug 13, 2024)
  7. Anzen Finance was hit by a $500,000 attack and the attacker has returned the funds after deducting the bounty_Hawk Insight (Accessed Aug 13, 2024)
  8. @yieldsandmore Twitter (Accessed Aug 13, 2024)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Anzen_Finance_Smart_Contract_Decimal_Vulnerability&oldid=6175"