Vow Currency Rate Adjustment Exploited

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Vow Currency Logo/Homepage

Vow aims to run the largest loyalty program in the world, on the blockchain in a decentralized manner, and appears to have some success in attracting retail participation. Unfortunately, their validation methods involve live changes to the exchange rate of the VOW token to the vUSD token, which is normally 1:1. An attacker exploited the higher rate immediately and liquidated the received tokens for ethereum. The Vow team has acted to decrease the supply of vUSD in various ways, however many in the community remain vocally upset and requesting compensation for their losses.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22][23][24]

About Vow Currency

"The missing piece for global crypto adoption. Each year retailers lose $7 trillion of revenue by discounting. $VOW crystallises this lost value into something more."

"Cryptocurrency, in a large part, derives its value from speculation. $VOW changes this paradigm for the entire Crypto Industry. It is the key to unlocking global utility and thereby changing the world."

"99% of so called "crypto acceptance" is not real crypto acceptance.

Either a crypto debit card is used or a crypto/fiat gateway is used.

In either case, retailers are settled in fiat.

Retailers do not really accept crypto, and there are definitive reasons for this.

The three main reasons that retailers don't accept crypto are;

(1) Crypto is too volatile.

(2) Crypto is too slow.

(3) There is not enough demand from the public.

VOW fixes all three of these points at once, by introducing a unique token-economic model which incentivises every single Retailer to become part of a massive distribution and acceptance layer around the world."

"Discounts are used by retailers worldwide to excite customers and drive sales. They are not emoney, payment instruments, or crypto tokens." "Paper discount vouchers, all around the world, provide an annual $7 trillion pool of retailer distributed liquidity, that's waiting to be tapped." "When communities of retailers digitise their discounts and each stake $VOW worth 20% of their total issued discount value; a new form of decentralised value transfer is born."

"VOW LIMITED and its management, have successfully ensured that the VOW token is decentralized in its use by attracting a wide network of independent market participants - companies committed to using and consuming VOW tokens.

In addition, VOW LIMITED has ensured sufficient liquidity for the token to flourish on Ce-fi and De-fi markets. It has also gathered a large community who consume and utilize the currency throughout the world, thousands of social media followers, and a good reputation."

"The ecosystem’s ultimate and lofty goal is to decentralise the issuance of (fixed value) currency internationally in a manner which complements banks, governments, businesses, and consumers, and make this happen at unprecedented speed and scale. The method in which this is to be done is commercial, infinitely practical, and shouldn’t result in unnecessary challenges from regulators."

The Reality

"The usdRateSetter had performed [previous adjustment] operations on 1 March 2024, changing the usdRate to 200, then to 5, and finally to 1, suggesting that the attacker was monitoring for future changes to the usdRate and immediately executed the attack once the opportunity arose."

"Two blocks before the attack, the usdRateSetter set the usdRate to 100. The usdRate had previously been set to one on 1 March 2024. This was not the first time the usdRateSetter had temporarily modified the usdRate. On 22 November 2023 and 1 March 2024 the usdRate was also temporarily changed to 150 and 200 respectively. However, these previous changes were not exploited."

What Happened

"Vow suffers an attack due to a contract vulnerability, resulting in a loss of approximately $1.2 million."

Key Event Timeline - Vow Currency Rate Adjustment Exploited
Date Event Description
August 13th, 2024 5:08:59 AM MDT Adjustment To Rate The vUSD rate is adjusted by the Vow team, resulting in a rate which is 100 times what it should be. This was reportedly intended to exist only briefly and be used for testing purposes.
August 13th, 2024 5:09:23 AM MDT First Attack Transaction The attack transaction occurs on the blockchain. The actor exploits the increased rate to mint a large number of vUSD tokens, obtaining ETH, USDT, and VOW in the process.
August 13th, 2024 5:09:35 AM MDT Second Attack Transaction The attacker does another attack transaction, exploiting the same mechanism.
August 13th, 2024 6:33:47 AM MDT Vow Swapped For Ethereum The attacker swaps their Vow tokens for Ethereum using different decentralized exchanges.
August 13th, 2024 9:07:00 AM MDT CertiK Alert Tweet CertiK shares an alerta about the transaction which they have discovered. The root cause according to their analysis is a change in the conversation ratio from 1 to 100.
August 13th, 2024 11:12:00 AM MDT Vow Currency Tweet Vow Currency tweets to report on a recent incident occurring during testing of their USD rate setter function when a bot unexpectedly acquired 20 million VOW tokens and created nearly $2 billion in v$ by selling them into Uniswap. This disruption has impacted the market temporarily. They are actively working to resolve the issue, mitigate its effects, and implement safeguards to prevent future problems.
August 14th, 2024 4:51:00 PM MDT Supply Decrease Update A gurther update is posted by the Vow Currency team, with updates on the supply decrease.

Technical Details

"The amount of vUSD received per VOW token was temporarily changed from 1 to 100, giving the attacker 100x more vUSD than they would normally receive

Given it's not the first time the rate was temporarily changed, the attacker was likely waiting for it to happen again"

"The attack contract was deployed 110 days prior to the incident and executed within two blocks of the transaction that modified the usdRate."

"Having detected the rate change to 100, the attacker borrowed 1,486,625 VOW tokens from the Uniswap VOW-WETH pool and transferred them all to the VSCTokenManager contract. The purpose of this step was to burn the VOW tokens in exchange for vUSD."

"When the VSCTokenManager receives VOW tokens, it calculates the amount of vUSD that should be minted based on the usdRate. Since the usdRate was set to 100, the attacker received 100 vUSD for every VOW token burned. The attacker burned 1,486,625 VOW and therefore received 148,662,529 vUSD."

"The attacker used the vUSD to drain the VOW-vUSD pool, swapping out 148m vUSD for the 59m VOW tokens that were in the pool. The attacker then repaid 1,490,198 VOW tokens, for the initial borrow, to the VOW-WETH pool and used the remaining VOW to drain the VOW-USDT and VOW-WETH pools. In total they drained approximately 175 ETH, 595k USDT and 5.8M VOW."

Total Amount Lost

"the loss of assets including: 175 ETH 595,970 USDT 5,801,632 VOW"

"After swapping assets to ETH the attacker has a total of 452 ETH (~$1.2m)"

The total amount lost has been estimated at $1,200,000 USD.

Immediate Reactions

"We want to clarify the recent incident that has occurred while our team was testing the USD rate setter function of the v$ contract in order to mint v$ for the new lending pool and oracle functions.

The USD rate was amended and 1m VOW was sent to the contract to test that everything was working as expected. This created, as expected v$100m, which is subsequently to be burned.

This time gap of making this change, testing, and reverting was around 15-30 seconds.

During this process, an unexpected event occurred where a bot acquired around 20 million VOW tokens from Uniswap and sent them to the contract resulting in nearly v$2 billion being created. The bot subsequently then sold the $2 billion v$ into the Uniswap pool.

This situation has caused a temporary disruption, and we understand the concerns this raises within the community. We want to assure you that we are fully committed to address this immediately and are actively working to resolve market conditions.

Our team is focused on mitigating the impact of this incident and restoring normal operations as quickly as possible. We are also implementing additional safeguards to prevent similar issues from occurring in the future.

We are considering the position carefully and what will happen next. There are several options on the table, all result in solving the situation and forward momentum of the project.

We greatly appreciate your patience and understanding during this time. Please keep calm as we continue to address the situation with the urgency it requires. We will provide further updates as soon as more information becomes available.

Thank you for your continued support and trust in the VOW project."

Ultimate Outcome

"As a further step, the vUSD burn rate (VSR) on Ethereum has been amended by the respective MVD. As stipulated in the white paper, VSR acts as a measure to keep vUSD supply in check. In order to maintain the VOW collateral requirement for every discount voucher in supply, the burn rate has now been increased to 50%. This will now help to bring vUSD supply back to its appropriate level, whilst other courses of action such as a vUSD fork to pre-exploit conditions are considered.

This rate will remain in place until the correct ratio is achieved. Please note that when swapping and sending vUSD this burn rate will now apply to all holder addresses."

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

Upset community members. Supply decrease of vUSD is still underway.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. @Vowcurrency Twitter (Accessed Aug 15, 2024)
  2. @CertiKAlert Twitter (Accessed Aug 15, 2024)
  3. Ethereum Transaction Hash (Txhash) Details | Etherscan (Accessed Aug 15, 2024)
  4. Ethereum Transaction Hash (Txhash) Details | Etherscan (Accessed Aug 15, 2024)
  5. @quillaudits_ai Twitter (Accessed Aug 15, 2024)
  6. Vow UP'22 | White Paper (Accessed Aug 15, 2024)
  7. Vow UP'23 | White Paper (Accessed Aug 15, 2024)
  8. Vow UP'24 | White Paper (Accessed Aug 15, 2024)
  9. The Vow Ecosystem | White Paper (Accessed Aug 15, 2024)
  10. The Problem | White Paper (Accessed Aug 15, 2024)
  11. The Solution | White Paper (Accessed Aug 15, 2024)
  12. The world's largest rewards economy | White Paper (Accessed Aug 15, 2024)
  13. Financial Institutions | White Paper (Accessed Aug 15, 2024)
  14. Enigmatic Smile | White Paper (Accessed Aug 15, 2024)
  15. The Reward Collection | White Paper (Accessed Aug 15, 2024)
  16. Token Details | White Paper (Accessed Aug 15, 2024)
  17. @CertiKAlert Twitter (Accessed Aug 15, 2024)
  18. Ethereum Transaction Hash (Txhash) Details | Etherscan (Accessed Aug 15, 2024)
  19. https://www.certik.com/resources/blog/vow-incident-analysis (Accessed Aug 15, 2024)
  20. @Vowcurrency Twitter (Accessed Aug 15, 2024)
  21. @Vowcurrency Twitter (Accessed Aug 15, 2024)
  22. x.com (Accessed Aug 15, 2024)
  23. x.com (Accessed Aug 15, 2024)
  24. x.com (Accessed Aug 15, 2024)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Vow_Currency_Rate_Adjustment_Exploited&oldid=6265"