Preliminary Analysis of Attack on Vesper Lend Beta
According to Fairyproof’s monitoring system, Vesper Lend Beta(vesper. finance), a DeFi application got attacked on Nov-02–2021 01:59:59 PM…
According to Fairyproof’s monitoring system, Vesper Lend Beta(vesper. finance), a DeFi application got attacked on Nov-02–2021 01:59:59 PM +UTC.
Here is a preliminary roundup about this attack:
The attacker’s address was 0xa3F447FeB0b2bdDc50a44CcD6F412a5F98619264
The attacking contract’s address was:
0x7993E1d66FFB1ab3FB1Cb3db87219f532C25BdC8
At least 660 ETHs valued at 3.5 million USD were exploited through this attack.
Here is the process of the attack:
Step 1: the attacker obtained 100 ETHs from Tornado Cash
Step 2: 56.818181818181818181 ETHs were exchanged to 250,000 USDCs on Uniswap V3
Step 3: the attacker exchanged 1 USDC to 1 VUSD
Step 4: the attacker dumped 250,000 USDCs obtained in step 2 to the VUSD-USDC liquidity pool on Uniswap V3 and pumped the VUSD price in USDC.
Here came the vulnerability: Vesper Lend used Uniswap V3’s VUSD-USDC trading pair as its price feed for the price of VUSD. And the attacker pumped the price of VUSD to a radical level after step 4
Step 5: the attacker used the one VUSD obtained in step 3 as collateral to borrow huge amounts of ERC-20 tokens
Step 6: the attacker exchanged all the ERC-20 tokens to ETHs which were valued at approximately 3.5 million USD
Information about some key transactions:
The hash value of the transaction that initiated the attack was 0x89d0ae4dc1743598a540c4e33917efdce24338723b0fabf34813b79cb0ecf4c5
The hash value of the transaction that took away all the ERC-20 tokens was 0x8527fea51233974a431c92c4d3c58dee118b05a3140a04e0f95147df9faf8092
The hash value of the transaction that exchanged all ERC-20 tokens to ETHs was 0x70d6ff9fcccb190fe49c9b364b7aeb69873a68fcf7aa81626a47f7c68019bc7d
An interesting detail here: the hash value of the transaction that initiated this attack was: 0x89d0ae4dc1743598a540c4e33917efdce24338723b0fabf34813b79cb0ecf4c5.
This hash was marked by Etherscan as both “Private Transaction” and “Flashbots”. It might be a flashbot transaction that was directly sent to ETH miners and was not included in the mempool. Fairyproof will pay close attention to this incident and disclose more details.