2 for 1, that’s Value DeFi: The first protocol to feature twice on the rekt leaderboard.
When we first covered Value in November of 2020, they had just lost $7,000,000 after bragging about their “flash loan protection”.
Back then we learned that Value DeFi did not really know flash loan. Now they have lost another $10,000,000, and we find out that Value DeFi do not really know copy paste either, as they report the exploit was made possible due to losing a line of code by “human error”
Ten million dollars lost due to basic mistakes by the team, yet the native token $VALUE barely dumped at all.
The following analysis is taken from the official post-mortem.
On May 5th 2021, 3:22 AM UTC, the exploiter re-initialized the pool and set the operator role to himself and _stakeToken to HACKEDMONEY.
By doing so, the exploiter took control of the pool and called the method governanceRecoverUnsupported() and drained the original stake token (vBWAP/BUSD LP).
The exploiter then removed 10,839.16 vBWAP/BUSD LP, then burned the LP tokens and received 7342.75 vBSWAP and 205,659.22 BUSD.
The exploiter then sold all 7342.75 vBSWAP for 8790.77 BNB at 1inch.
The exploiter used both BNB and BUSD to buy renBTC and used renBridge to move the funds back to BTC, sent to the following address: 1Cm6WGvXQ9EgvvWX5dRsBxE2NvxFjfbcVF
The actions can be verified on-chain here.
The affected pool contract had an initialize() function that should have been activated after deployment.
The line: initialized = true; is missing from the function.
This meant anyone could re-initialize the pool and set themself as owner, thereby taking full control. As owner, the exploiter used the governanceRecoverUnsupported(), which is used for recovering pool funds in the event of a bug or undesired event.
During set up of the profit-sharing vStake pool, the code was not written from scratch but migrated from the old implementation of the Value DeFi Reserve Fund, which had the correct setting. When merging the code, the line was not included.
In the end, the hacker was the only one who got their value for their money, a ten million dollar prize without even taking out a loan.
The Value DeFi team however, just got another spot on our leaderboard.
REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.
Donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C
REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.
You might also like...
Twice in one week. Value DeFi is a trainwreck. Six months ago they lost $7M. Three days ago they lost $10M. Now they’ve lost another $11M. What went so wrong with Value DeFi?
The hackers are really spoiling us this week with our fourth helping of the exact same meal. Can you ever really get tired of a classic? $7.2M was stolen from BurgerSwap in just 14 servings.
The PancakeBunny attack pulled the rabbit out of the hat, now a surprisingly similar string of attacks emerges from Binance Smart Chain. $680,000 taken from Merlin Lab.