ValueDefi Hack
Incident Overview
An attacker exploited a vulnerability in the pool of vBSWAP/BUSD LP, re-initialized the pool, took control, and drained the original stake token, resulting in a loss of 10,839.16 vBSWAP/BUSD LP.
The attacker re-initialized the pool and set the operator role to himself and _stakeToken to HACKEDMONEY. He then took control of the pool and called the method governanceRecoverUnsupported() to drain the original stake token (vBWAP/BUSD LP). The attacker removed 10,839.16 vBWAP/BUSD LP, then removed liquidity and received 7342.75 vBSWAP and 205,659.22 BUSD.
He sold all 7342.75 vBSWAP for 8790.77 BNB at 1inch. The attacker used both BNB and BUSD to buy renBTC and used renBridge to move the funds back to BTC, which was laundered to a specific address.
The attacker's address:
https://bscscan.com/address/0xef63ad57…d28764
The transaction behind the attack:
https://bscscan.com/tx/0xd3382252…769040
The transaction of removing vBWAP/BUSD LP:
https://bscscan.com/tx/0x9ba0454c…6389b6
The laundered BTC address:
https://www.blockchain.com/btc/address/1Cm6WGvXQ9EgvvWX5dRsBxE2NvxFjfbcVF
Incident Report
Protocol Information
What the Attacker Needed to Succeed
Understanding the prerequisites for this type of attack helps auditors identify protocols that are most at risk and helps developers build better defenses.
What Auditors Should Check
If you're auditing a protocol with similar architecture to ValueDefi, these are the critical security checks that could have prevented this incident (May 2021).
- Verify all logic paths related to Access Control Exploit / Other / Math Mistake Exploit / Other are guarded by proper access controls and input validation - see the Access Control Attacks attack class for patterns
- Review privileged functions (owner, admin, governance) for potential abuse vectors - centralization risks should be documented and bounded with timelocks or multi-sigs
Master these auditing techniques with hands-on labs and real exploit scenarios in the Smart Contract Hacking course.
Free TrialRelated Attack Classes
The technique used in this hack maps to these vulnerability classes in our security curriculum:
Sources & References
-
01
Source 1 https://rekt.news/value-rekt2/
- 02
- 03
- 04
-
05
Reference https://rekt.news/value-rekt3/
- 06
Learn to Prevent the Next ValueDefi
The ValueDefi hack is one of many attacks that skilled auditors are trained to detect before deployment. Master real exploit patterns and defense techniques with hands-on Web3 security training.