Vee Finance Price Oracle Manipulation

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Vee Finance

Vee Finance is a decentralized lending platform, which operates through a smart contract hot wallet. Through the creation of a fake token, the hot wallet was breached, and the funds were removed to the hacker. The Vee Finance team has since undertaken some efforts to retrieve the funds from the attacker, however there is no indication those have achieved any result. They are currently running a compensation program using the future profits of the protocol.

This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22][23][24][25][26][27][28][29][30]

About Vee Finance

"Bridge the gap between traditional banking and crypto Defi Earn fixed/flexible return on deposited assets."

"Vee Finance is a DeFi lending platform for traditional financed and crypto users alike. They are committed to bridging the gap between traditional finance and DeFi and providing users with better digital asset management services." "Vee Finance is a lending protocol that is mainly forked from Compound Protocol and add leveraged trading logic on this basis. Users can obtain loan vouchers through mortgage assets, and the loan vouchers can be leveraged in the protocol. When performing leveraged transactions, users will lend funds from the contract, and then create an order through the VeeProxyController contract. When the order is created, the contract will swap the borrowed funds into the target token in Pangolin. When the order expires or the stop-profifit and stop-loss price is reached, reverse swap will be performed, and then the loan will be returned."

"The mission of the project is to reduce barriers for traditional users to participate in DeFi and optimize the efficiency of global asset allocation."

"To use the protocol, users supply their preferred asset that is accepted by the protocol. Users will be able to earn interest based on the asset's market demand for borrowing. Additionally, supplied assets can be used as collateral to allow the user to borrow other assets. Interest earned by supplying funds offsets the accumulated interest rates from borrowing."

"Funds are administered by Smart Contracts. Suppliers/Lenders will be given tokenized yield-bearing tokens (veTokens) which will be used to withdraw funds from the pool on-demand when required. "

"Top ten thievery. $34 million taken from Vee Finance earns them the number 7 spot on our leaderboard, yet nobody seems surprised. What’s normal for us is not normal elsewhere."

“The main cause of the accident was that in the process of creating an order for leveraged trading, only the price of the Pangolin pool was used by the oracle as the source of price feed, and the pool price fluctuated more than 3%. The oracle refreshed the price, causing the attacker to manipulate the price of the Pangolin pool. Manipulating the price of the Vee Finance oracle machine and the acquisition of the oracle machine price were not processed for decimals, resulting in the expected slippage check before the swap did not work.”

"The real reason is that the attacker creates a FAKE ctokenB and passes to the contract. Since the ctokenB is controlled by the attacker, it can return an arbitrary underlying token that is used for calculating the token price. This is the real root cause of the attack."

"1. When performing margin trading, the createOrderERC20ToERC20 function in the following code block will be called to create an order."

"2. When an order is created, the token exchange will be carried out through line 5 of the following code block." "3. Before the token exchange, the expected slippage will be checked through the getAmountOutMin function on line 9 of the following code block."

"4. During slippage check, the priceA and PriceB quotes of the oracle will be obtained through lines 12 and 13 of the following code block, and then the number of TokenA that can be exchanged for TokenB at the current price is calculated through line 15 of the following code block. . Finally, compare with the number of tokens acquired in the Pangolin pool. If the number of TokenB tokens that can be exchanged in the pool is greater than or equal to the expected number of TokenB that can be exchanged using the oracle, then it can be judged that the pool price is correct and not controlled, and the order creation logic is continued."

"5.However, through on-chain records, when the oracle price is obtained, the obtained price decimals has not been processed. Therefore, if the decimals of TokenB is much greater than the decimals of TokenA, then there will be deviations in the calculation of the expected amount ofexchangeable TokenB, amountFromOracle = priceA * swapAmountA / priceB will be smaller than expected."

"6. At the same time, in most attacks, the prices of TokenA and TokenB obtained by the oracle machine are equal, which shows that the price obtained by the oracle machine is wrong."

"7. After communicating with the project party, the project party reported that the source of the price feed for the oracle machine only uses the price of the Pangolin pool, and the price of the pool flfluctuates more than 3%, the oracle machine will refresh the price."

"8. Therefore, the attacker manipulates the number of Pangolin’s tokens to make Vee Finance’s oracle machine to refresh the price. This directly caused the contract to obtain the wrong price from the oracle during the slippage check, which caused the slippage check to be bypassed."

"The attacker forged cTokenB for leveraged transactions. Taking WBTC.e & XAVA as an example, getUnderlying(createParams.ctokenB) when performing getAmountOutMin is the XAVA address obtained by passing in the forged cTokenB from the attacker. But when the price is obtained through getUnderlyingPrice(createParams.ctokenB), if the cToken is not in the list supported by the oracle, then the underlying price of cTokenB will be obtained through the oracle’s getTokenConfigByUnderlying(CErc20(cToken).underlying()). The underlying price at this time is taken by WBTC.e."

"In summary, the attacker used the cToken forgery issue and the decimals processing issue of Oracle price to attack."

"According to address monitoring, the attacker has not yet transferred or processed the attacked assets any further. We maintain communication with attacker and trying to negotiate a solution." "Put out a 500,000 USD worth bounty for the person or team who can track down the attacker."

"Filed the police report to the local police station in the United States and put out a 500,000 USD worth bounty for the person or team who can track down the attacker." "Worked with security companies to investigate the attack. And collected pretty much of the attacker’s on-chain historical transaction and off-chain cipher activities." "Due to the significant amount of loss and potential link to other DeFi attacks, the local authority has escalated this case to the FBI."

"Vee.Finance will bear all the losses. And we have decided to 100% compensate all lenders/depositors."

"Current version (v1) will be suspended, with only Withdraw & Repay functions open. In addition, we will also make some changes to the UI pages, such as the content displayed on the Dashboard page and the function display on the left menu bar."

"After the audit, the new version of smart contracts will be deployed as V2, a brand-new pool with VEE rewards. Trade function will not be available. Stable Coin Sector and Crypto Sector will relaunch in the next early week."

"We have published a plan designed to compensate everyone for their losses as soon as possible. And we will fully fulfill our obligations according to the plan. Compensation details will be published after the voting is over."

"From now on, we’ll do better and better. We’ll listen to every voice in the community and provide better feedback. You supported us; we’ll pay back with our future hard work."

"We started a poll, where users who suffered loss can decide how we are going to compensate them." "The vote on compensation plan ended, with a total of 143 users voting, out of 466 eligible voters. 68% of these users chose “ token as they are”, we hear the community’s voice, and will compensate users in the form of “token as they are”."

"We will start to implement the compensation plan while relaunching Vee.Finance platform next week. A compensation pool dedicated to pay out depositors who suffered losses will be created. Inside the pool will be five tokens AVAX, WBTC, WETH, LINK and USDT, and users can withdraw funds at any time according to their share."

"We will credit the entire month’s earnings of the platform to the compensation pool at the end of each month. The first deposit will be on October 31, 2021, EST."

"In this collaboration with SlowMist, we not only audited the protocol smart contract code but also do a complete audit of all the security-related steps. In addition, we are executing all unit tests in more detail to test all functions and extreme scenarios are also being implemented to prepare for attacks through smart contracts."

"All users who supplied in V1 Crypto pool but were unable to withdraw their assets after the attack. Their relevant wallets will be eligible to withdraw funds in the compensation pool."

"According to the compensation plan, we will deposit all the retrievable revenue into the pool on October 31, 2021. The number of tokens deposited will be calculated as a percentage of their dollar value and the token price will be based on a snapshot as of October 28 EDT, since there would be processing time for the team to exchange the revenue for compensation tokens according to the size of different pools. And we will take out the reserve income on the 28th of each month in the future."

"The eligible users can withdraw funds at any time according to their share. For example, there is $300K in the compensation pool in October and a user’s withdrawable share is 1%, the share he would withdraw is $3,000. When there are new funds in the compensation pool, the user can then continue to withdraw funds according to his share."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Vee Finance Price Oracle Manipulation
Date Event Description
September 20th, 2021 Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

The total amount lost has been estimated at $35,000,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

General Prevention Policies

Hot wallets should either not store customer funds, or be insured fully through smart contract insurance or our proposed industry insurance fund.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Rekt - Vee Finance - REKT (Sep 28, 2021)
  2. The Real Root Cause Of The Vee Finance Security Incident (Oct 2, 2021)
  3. The Main Cause Of Vee Finance Attack (Oct 2, 2021)
  4. Vee Finance (Oct 20, 2021)
  5. Redefining DEX and How Vee.Finance does improve user experience? : VeeFinance (Oct 20, 2021)
  6. https://coinmarketcap.com/currencies/vee-finance/ (Nov 7, 2021)
  7. Introduction to Vee.Finance - Vee.Finance | V2 (Nov 7, 2021)
  8. Vee Finance Attack Analysis (Nov 7, 2021)
  9. Transaction 0x15a7b29c11ee8c1705e3b7e555fc5f35d862e439f62271c9dcda942ea525685a - Avalanche Explorer (Nov 7, 2021)
  10. Transaction 0x797544ebce8acd384c162ad20bed30caadd852ed0a5b71550ab2f37c186840bd - Avalanche Explorer (Nov 7, 2021)
  11. Transaction 0x50a136886e45d018f84f194e49d47aaaa34e1bd5f2b51f2bdc42e4fd20999062 - Avalanche Explorer (Nov 7, 2021)
  12. Transaction 0x031f388aabfa26df922603c377e002713c6315e2660b89e9eea0f0983fbe137c - Avalanche Explorer (Nov 7, 2021)
  13. Transaction 0x072c8cb4a3d71f833d9b22965993657fd2a38e599ed0bcaa37554b39ac0be1b0 - Avalanche Explorer (Nov 7, 2021)
  14. Transaction 0xc490b881f7434af48a1f39ca2d71064e93a1802b5853e3312e8800468dc83b81 - Avalanche Explorer (Nov 7, 2021)
  15. Transaction 0xfd2c5979d2857f385cc0b055a2a4320e0e63e389404fd9e12a169dbdb5b20ac0 - Avalanche Explorer (Nov 7, 2021)
  16. Transaction 0x83821d9869467395583f1d42be15b5e0387e30634fcc2ac75d005ac190dc94dc - Avalanche Explorer (Nov 7, 2021)
  17. Transaction 0xb9581cb407c67db29a18ce9f056be69d05e0c47909c988a9fd0fe07589bf9709 - Avalanche Explorer (Nov 7, 2021)
  18. The Main Cause Of Vee Finance Attack (Nov 7, 2021)
  19. Vee and Zabu Finance Exploits: Two Uncannily Similar Attacks | TRM Insights (Nov 7, 2021)
  20. Vee Finance Latest Updates Sept 22 (Nov 7, 2021)
  21. @VeeFinance Twitter (Nov 7, 2021)
  22. Latest Update Compensation Plan Sept 25 (Nov 7, 2021)
  23. Latest Update Sept 26 (Nov 7, 2021)
  24. Latest Update Sept 27 (Nov 7, 2021)
  25. Vee Finance Restart Plan Sept 28 (Nov 7, 2021)
  26. Latest Update September 30 (Nov 7, 2021)
  27. Latest Update October 1 (Nov 7, 2021)
  28. Latest Update October 2 (Nov 7, 2021)
  29. Vee Finance Roadmap For V2 (Nov 7, 2021)
  30. Vee Finance V2 Relaunch On October 7th (Nov 7, 2021)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Vee_Finance_Price_Oracle_Manipulation&oldid=4223"