News / Vee Finance Exploit Uncovers DeFi Limitations

Vee Finance Exploit Uncovers DeFi Limitations


Vee Finance, a small lending protocol, recently suffered an exploit leading to a $35M loss. Despite the relatively limited effect, the Vee Finance exploit underlined the still present vulnerabilities in DeFi smart contracts. 

Vee Finance discovered the exploit on September 20, immediately shutting down most of its smart contract functionalities. The news caused an immediate slide in the price of VEE, the protocol’s native token. 

VEE started trading this September 19, just hours before the exploit. Since then, the asset slid from a high of $0.75 to around $0.10. In the past couple of days, VEE relied on a single decentralized trading pair for its price discovery mechanism. The asset is not listed on any major exchanges yet. 

Exploit Due to Circular Trading Information

The reason for the exploit of VEE was the lack of any other trading pairs for price discovery. The Vee Finance project is a crypto lending scheme based on Curve Finance, which relies on the value of its native asset for lending and passive income. 

However, the Vee Finance smart contract relied on oracle information from the one available decentralized pair. Because the pair was so illiquid, with volumes only around $65,000, it was possible to manipulate the price. 

“The oracle machine has a single source of price feed, and the refresh conditions are affected by the real-time number of tokens in the Pangolin pool (the pool price fluctuates by 3%, and it will be refreshed),” explained the Vee Finance team.

Only ETH and BTC deposits were affected while leaving the deposits of USDT, USDC and DAI within the protocol out of the reach of the attacker. 

The attacker managed to drain the deposit contracts, taking away BTC and ETH from the lending liquidity pools. Later, the funds were moved using the bridge to Ethereum. 

The Vee Finance team called on the account holder to contact the project and possibly receive a bounty for discovering the bug. 

Avalanche Team Hints at Inside Job

There are some suspicions the Vee Finance exploit was a planned operation. The smart contracts operating the DeFi pools and lending mechanisms are closed source, and have not been available for review. 

The Vee Finance team, however, believes an outside attacker created a price discrepancy and managed to move the funds. 

Attack Underlines Growing Influence of Avalanche

The Avalanche protocol is quickly taking over the DeFi space, as one of the powerful platforms available for building smart contracts. The platform has a bridge to Ethereum, thus becoming accessible for other ETH holders and experienced DeFi users. 

Avalanche noted that the attack exploited the ETH bridge, initially issuing 27 WETH. The attacker also went through buying AVAX, before calling on the Vee Finance smart contracts multiple times and draining their funds. 

AVAX Unaffected by Exploit

Despite the exploit that used Pangolin Exchange, the most active Avalanche-based decentralized trading venue, AVAX prices remain unaffected. 

AVAX traded at $62.96, adding more than 6% to its price and so far surviving the overall cryptocurrency market correction.

Avalanche currently carries more than $2.73B in total value locked. The latest available reports for Vee Finance, which launched only recently, was that the lending protocol managed to build up more than $300M in total value locked. 

Avalanche grew its TVL within a month, also boosting the AVAX market price and lining up the native token as one of the most promising digital assets in 2021.

Bridge Exploits Also Hurt DeFi Projects

The task of bridging between Ethereum and other protocols is also creating a potential for DeFi exploits. The bridging uses smart contracts, where logic loops can be exploited. 

In the past months, THORChain (RUNE) and ChainSwap both lost tokens due to malicious calls on their bridge smart contracts. 

The latest exploit affected pNetwork, another protocol attempting to connect various blockchains for a smoother DeFi experience. The exploit took away most of the BTC collateral, or 277 coins in total. 

DeFi exploits accelerated since May 2021, and have reached a total above $400M. Attacks have included direct draining of liquidity pairs, as well as smart contract loopholes that sent unlimited tokens. 

So far, DeFi projects do not have unified practices and often use closed source or unaudited smart contracts. The biggest hack in the space, PolyNetwork, threatened to cause losses of above $600M. But the exploit turned out to be the deed of a white hat hacker who restored the funds just days after the exploit.

The Ethereum-based DeFi space now holds around $79B in total value locked, erasing some of the gains due to ETH prices falling under $3,000. A handful of smaller projects are now building up their liquidity, and hold the equivalent of 1B to 3B USD.

Easy Way to Buy
Easy Way to Buy

Uphold makes buying crypto with popular currencies like USD, EUR and GBP very simple with its convenient options to swap between crypto, fiat, equities, and precious metals.

Kraken
Kraken

With over 50 coins and an obsession with security, Kraken is one of the safest places to buy and trade crypto.

Kraken Review
Kraken Review

Kraken has a good reputation for security and protection of your funds and operates across the USA (except NY), Canada, the EU and Japan

Uphold Review
Uphold Review

Based in Charleston, South Carolina. Serves over 184 countries and has done over $4 billion in transactions. Offers convenient options to swap between crypto, fiat, equities, and precious metals.

What is DEFI and how to invest in it
What is DEFI and how to invest in it

Will decentralised finance revolutionise the financial world or is a a lot of hype. Should you get invoved?

Eco Coin Index
Eco Coin Index

We analyse the most popular eco friendly cryptocurrencies looking a their energy efficiency and usage

Binance Coin Review
Binance Coin Review

A multi-utility asset, linked to the diverse activities of the Binance Exchange. A token to pay trading fees, as well as participate in new asset sales, BNB now runs on a proprietary blockchain.

Solana Review
Solana Review

Solana is a cryptocurrency project with a radically different approach to how blockchains work. It focuses on an element which is very simple: time. It seems introducing a decentralised clock to a cryptocurrency blockchain makes it more efficient than anyone could have possibly imagined. Solana is a high-performance cryptocurrency blockchain which supports smart contracts and decentralised applications. It uses proof of stake consensus mechanism with a low barrier to entry along with timestamped transactions to maximise efficiency.