Wault Finance Stablecoin Peg Logic Error

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Wault Finance

Wault Finance offers a financial service which included a stablecoin. Liquidity was backed by funds in a smart contract hot wallet. Through flash loans and price manipulation, an attacker was able to remove liquidity, with the announcement of the hack triggering a price crash.

No user funds were lost in the attack, however the price dropped. The project identified and resolved the vulnerability, implemented 4 separate mechanisms to restore the stablecoin price, and performed a buy-back of their main project token.

This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16]

About Wault Finance

"Wault Finance is a decentralized finance hub that connects all of the primary DeFi use-cases within one simple ecosystem, on the Binance Smart Chain and Polygon network. In short, an all-in-one DeFi Platform!" "Wault Finance was launched in early 2021 with no venture capitalists. A fair launch for the community was our priority. Therefore, Wault was started with a market cap of only $150,000 (60 ETH)."

"So, with these goals in mind we’ve built a protocol including 4 tokens – WAULTx, WEX, WEXpoly, and WUSD – and some unique features such as: WaultSwap (AMM), Wault Launchpad (new project presales), Wault Locker (liquidity locks for new or established projects), Wault Farms (staking and farming) and many other great services. We believe these services will amplify trust and wealth-accumulation, for our users."

"On August 4th, 2021, at 1:49:05 AM UTC, an attack took place on WUSD’s pegging mechanism." "From this attack by using the flaw explained above. The attacker gained 370.19 ETH in total after repaying the flash loan."

"Minting $WUSD can be done using the stake() function in WUSDMaster contract. The stake function accepts $USDT from the user in line 700 to mint $WUSD with the rate of 1:1 in line 715, and a portion of the $USDT received is swapped to $WEX using the ratio determined by the wexPermille variable in line 708–714."

"With this logic, each staking of $USDT to mint $WUSD will cause the price of $WEX in the Wault USDT-WEX pool to increase." "After executing the stake() function, it [was] possible to swap the $WUSD back to $USDT by using WUSD-USDT pool with a nearly 1:1 rate in the WSwap AMM. As a result, the WUSDMaster contract [could] be used to pump the $WEX price with almost no cost for the attacker."

"(1) The attacker flash loaned $WUSD from WSwap’s WUSD-USDT pool and redeemed it for $USDT and $WEX. (2) The attacker flash loaned $USDT from PCS’s WBNB-USDT pool to prepare for the attack. (3) The attacker swapped a part of the flash loaned $USDT to $WEX before the price is pumped in the next steps. (4) The attacker staked the flash loaned $USDT to WUSDMaster contract. The 10% of staked $USDT was swapped to $WEX ($WEX price was increased) and the attacker gained the $WUSD with a 1:1 rate. (5) Since there was a limit on the staking amount, the attacker performed step 4 repeatedly to increase the $WEX price with almost no cost. (6) With the manipulated rate, the attacker gained profit in $USDT by swapping $WEX from steps 1 and 3 back to $USDT. (7) The attacker returned the $WUSD and $USDT flash loaned. (8) The attacker swapped the remaining $WUSD and the $USDT profit to $ETH."

"Upon learning of the attack, the Wault team quickly turned off WUSD minting on the UI, and worked with three audit firms to deduce the nature of the attack and scope of the vulnerability, soon identifying it and confirming no more funds were at risk." "[E]ven during the attack, WUSD never dropped below 0.91 because the collateral model held strong as intended. This is already more stable than many other stablecoins at launch, and they didn’t suffer an attack, proving that WUSD’s stability model works."

"The result of the attack was the attacker gained ~$816k from the WUSDMaster contract. However, the 90% portion of USDT collateral for WUSD was not affected, nor was the Treasury; As we stated when introducing WUSD, we designed these two portions of funds to be isolated and safe under all conditions. All other pools and products in Wault were also unaffected and continued operating efficiently."

"Over the following day, the team developed a solution to the vulnerability and simulated it with auditors, confirming that it would eliminate the attack vector and make WUSD safe."

"Mint Timelock (1 block): When someone mints WUSD, they will only receive it one block later. This prevents flash loan attacks. Redeem Timelock (1 block): When someone redeems WUSD, they will only receive it one block later. This prevents flash loan attacks. Minting Fee: We’ll move the 0.2% transaction fee from redemption into a minting fee of 0.2% to mitigate potential arbitrage attacks. Sell WEX On Redeem: Just like how the protocol buys WEX on mint, it will sell WEX on redemption. This will prevent price manipulation attacks."

"The first thing we need to point out is that no funds were stolen nor incorrectly minted. The attacker profited by manipulating the WEX price a modest amount. Following that, some users panic sold and panic redeemed WUSD, which caused the bulk of the WEX price drop."

"The 90% of USDT collateral has held as a strong floor, so all we have to do now is fill up the WEX portion. The first step we did was to buyback and burn $141k worth of WEX from the treasury." "The treasury will continue filling up from the below stability mechanisms until it restores the peg, and then continue to grow as a future buffer." "Due to WUSD being below $1, we’re slowly increasing the portion of WEX emissions that goes to the WUSD Treasury (total WEX emissions are unchanged). This portion is growing and continuing to refill the Treasury." "We’re steadily increasing the WSwap trading fees going to the Treasury from 15%. Along with emissions, these will serve as ongoing buybacks & burns on WEX until the peg is restored." "Once we resume allowing WUSD minting, we’ll be allocating healthy emissions to the WUSD-BUSD pair, which should attract new minters to help refill the treasury."

"With these mechanisms, the WUSD peg should be restored within a number of days, and the treasury will continue to grow to create an additional safety buffer." "In addition, we’re speaking with future WPool partners and offering them incentives to pair their tokens with WUSD for their WPool farms, which will create further buying/minting demand for WUSD."

"We’ll be dedicating half a million dollars from a combination of the team’s development fund and trading fees to do a large buyback & burn of WEX soon. Between this and our other initiatives, it should cover the bulk of the attack amount. However, we won’t just stop there. We’re working on improving security as well."

"We’ll be launching a professional Bug Bounty Program with Immunefi, offering up to $100k USD to their network of white hats to help inspect and secure all our code." "Of course, even though audits aren’t invulnerable as proven by this event, we’ll keep getting them, starting with one next week for our solution on WUSD."

"[W]e want to apologize to any of our users this affected. Even though we commissioned two audits before launching this code, unfortunately, no one foresaw this type of attack. Luckily, this problem occurred early on, giving us the chance to fix it before WUSD’s circulating supply increased further. Now, we can move forward with a technical solution, and do our best to compensate our users." "[W]e will learn from this experience, work harder, and build smarter."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Wault Finance Stablecoin Peg Logic Error
Date Event Description
August 4th, 2021 Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

The total amount lost has been estimated at $816,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 11, 2021)
  2. Wusd Incident Recap And Solution (Aug 29, 2021)
  3. Wault Finance Incident Analysis Wex Price Manipulation Using Wusdmaster Contract (Aug 29, 2021)
  4. Wault Finance Flash Loan Security Incident Analysis | by Knownsec Blockchain Lab | Medium (Aug 29, 2021)
  5. Wault Finance - Wault (Sep 15, 2021)
  6. Wault Finance – Wault Finance (Sep 15, 2021)
  7. Binance Transaction Hash (Txhash) Details | BscScan (Sep 26, 2021)
  8. Address 0x886358f9296de461d12e791bc9ef6f5a03410c64 | BscScan (Sep 26, 2021)
  9. Contract Address 0x50AFA9383EA476BDF626d6FbA62AFd0b01C8fEa1 | BscScan (Sep 26, 2021)
  10. Contract Address 0x6102D8A7C963F78D46a35a6218B0DB4845d1612F | BscScan (Sep 26, 2021)
  11. Contract Address 0x50e8D9Aa83eBDe9608074eC1faaDfD2E792D9B81 | BscScan (Sep 26, 2021)
  12. Contract Address 0xa79Fe386B88FBee6e492EEb76Ec48517d1eC759a | BscScan (Sep 26, 2021)
  13. Contract Address 0x16b9a82891338f9bA80E2D6970FddA79D1eb0daE | BscScan (Sep 26, 2021)
  14. Binance Transaction Hash (Txhash) Details | BscScan (Sep 26, 2021)
  15. Transparency - Wault (Sep 26, 2021)
  16. CertiK Audit Report for Wault Finance (Sep 26, 2021)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Wault_Finance_Stablecoin_Peg_Logic_Error&oldid=4077"