{"id":1477,"date":"2021-09-22T08:47:27","date_gmt":"2021-09-22T07:47:27","guid":{"rendered":"https:\/\/tradersofcrypto.com\/news\/?p=1477"},"modified":"2021-09-22T08:47:28","modified_gmt":"2021-09-22T07:47:28","slug":"vee-finance-exploit-uncovers-defi-limitations","status":"publish","type":"post","link":"https:\/\/tradersofcrypto.com\/news\/vee-finance-exploit-uncovers-defi-limitations\/","title":{"rendered":"Vee Finance Exploit Uncovers DeFi Limitations"},"content":{"rendered":"\n<p>Vee Finance, a small lending protocol, recently suffered an exploit leading to a $35M loss. Despite the relatively limited effect, the Vee Finance exploit underlined the still present vulnerabilities in DeFi smart contracts.&nbsp;<\/p>\n\n\n\n<p>Vee Finance discovered the exploit on September 20, immediately shutting down most of its smart contract functionalities. The news caused an immediate slide in the price of VEE, the protocol\u2019s native token.&nbsp;<\/p>\n\n\n\n<p>VEE started trading this September 19, just hours before the exploit. Since then, the asset slid from a high of $0.75 to around $0.10. In the past couple of days, VEE relied on a single decentralized trading pair for its price discovery mechanism. The asset is not listed on any major exchanges yet.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/5JA7ijrak5CxQAt_INuGmI3HjJwkQXZK2tiuvDYma7gBkbKcILAyM8nDHkqXXLIh4qplAclJ3L8afg_3LMq9zUNKgWPN8U8-qC80Ehy32eyktoL4LYAugZRddG-ACqQe8zMqu0GY=s0\" alt=\"\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Exploit Due to Circular Trading Information<\/strong><\/h3>\n\n\n\n<p>The reason for the exploit of VEE was the lack of any other trading pairs for price discovery. The Vee Finance project is a crypto lending scheme based on Curve Finance, which relies on the value of its native asset for lending and passive income.&nbsp;<\/p>\n\n\n\n<p>However, the Vee Finance smart contract relied on oracle information from the one available decentralized pair. Because the pair was so illiquid, with volumes only around $65,000, it was possible to manipulate the price.&nbsp;<\/p>\n\n\n\n<p>\u201cThe oracle machine has a single source of price feed, and the refresh conditions are affected by the real-time number of tokens in the Pangolin pool (the pool price fluctuates by 3%, and it will be refreshed),\u201d explained the Vee Finance team.<\/p>\n\n\n\n<p>Only ETH and BTC deposits were affected while leaving the deposits of USDT, USDC and DAI within the protocol out of the reach of the attacker.\u00a0<\/p>\n\n\n\n<p>The attacker managed to drain the deposit contracts, taking away BTC and ETH from the lending liquidity pools. Later, the funds were moved using the bridge to Ethereum.&nbsp;<\/p>\n\n\n\n<p>The Vee Finance team called on the account holder to contact the project and possibly receive a bounty for discovering the bug.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\"><p lang=\"en\" dir=\"ltr\">Dear Mr\/Ms 0x**95BA,<br>This is VEE Finance team, we\u2019re willing to launch a bounty program for the bug you identified. Please connect us via email or other contact you prefer.<a href=\"https:\/\/t.co\/24R5XuSDDS\">https:\/\/t.co\/24R5XuSDDS<\/a> <a href=\"https:\/\/t.co\/HwSNRi838g\">pic.twitter.com\/HwSNRi838g<\/a><\/p>&mdash; vee.finance\ud83d\udd3a (@VeeFinance) <a href=\"https:\/\/twitter.com\/VeeFinance\/status\/1440217570339016704?ref_src=twsrc%5Etfw\">September 21, 2021<\/a><\/blockquote><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/div><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Avalanche Team Hints at Inside Job<\/strong><\/h3>\n\n\n\n<p>There are some suspicions the Vee Finance exploit was a planned operation. The smart contracts operating the DeFi pools and lending mechanisms are closed source, and have not been available for review.&nbsp;<\/p>\n\n\n\n<p>The Vee Finance team, however, believes an outside attacker created a price discrepancy and managed to move the funds.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Attack Underlines Growing Influence of Avalanche<\/strong><\/h3>\n\n\n\n<p>The Avalanche protocol is quickly taking over the DeFi space, as one of the powerful platforms available for building smart contracts. The platform has a bridge to Ethereum, thus becoming accessible for other ETH holders and experienced DeFi users.&nbsp;<\/p>\n\n\n\n<p>Avalanche noted that the attack exploited the ETH bridge, initially issuing 27 WETH. The attacker also went through buying AVAX, before calling on the Vee Finance smart contracts multiple times and draining their funds.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>AVAX Unaffected by Exploit<\/strong><\/h3>\n\n\n\n<p>Despite the exploit that used Pangolin Exchange, the most active Avalanche-based decentralized trading venue, AVAX prices remain unaffected.&nbsp;<\/p>\n\n\n\n<p>AVAX traded at $62.96, adding more than 6% to its price and so far surviving the overall <a href=\"https:\/\/tradersofcrypto.com\/news\/bitcoin-overextended-retracement-continues\/\">cryptocurrency market<\/a> correction.<\/p>\n\n\n\n<p>Avalanche currently carries more than $2.73B in total value locked. The latest available reports for Vee Finance, which launched only recently, was that the lending protocol managed to build up more than $300M in total value locked.&nbsp;<\/p>\n\n\n\n<p>Avalanche grew its TVL within a month, also boosting the AVAX market price and lining up the native token as one of the most promising digital assets in 2021.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Bridge Exploits Also Hurt DeFi Projects<\/strong><\/h3>\n\n\n\n<p>The task of bridging between Ethereum and other protocols is also creating a potential for DeFi exploits. The bridging uses smart contracts, where logic loops can be exploited.&nbsp;<\/p>\n\n\n\n<p>In the past months, THORChain (RUNE) and ChainSwap both lost tokens due to malicious calls on their bridge smart contracts.&nbsp;<\/p>\n\n\n\n<p>The latest exploit affected pNetwork, another protocol attempting to connect various blockchains for a smoother DeFi experience. The exploit took away most of the BTC collateral, or 277 coins in total.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\"><p lang=\"en\" dir=\"ltr\">1\/N We&#39;re sorry to inform the community that an attacker was able to leverage a bug in our codebase and attack pBTC on BSC, stealing 277 BTC (most of its collateral).<br><br>The other bridges were not affected. All other funds in the pNetwork are safe.<\/p>&mdash; pNetwork \ud83e\udd9c (@pNetworkDeFi) <a href=\"https:\/\/twitter.com\/pNetworkDeFi\/status\/1439690593211490324?ref_src=twsrc%5Etfw\">September 19, 2021<\/a><\/blockquote><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/div><\/figure>\n\n\n\n<p>DeFi exploits accelerated since May 2021, and have reached a total above $400M. Attacks have included direct draining of liquidity pairs, as well as smart contract loopholes that sent unlimited tokens.&nbsp;<\/p>\n\n\n\n<p>So far, <a href=\"https:\/\/tradersofcrypto.com\/news\/defi-faces-the-hardest-downfall-but-no-cause-for-concern\/\">DeFi projects<\/a> do not have unified practices and often use closed source or unaudited smart contracts. The biggest hack in the space, PolyNetwork, threatened to cause losses of above $600M. But the exploit turned out to be the deed of a white hat hacker who restored the funds just days after the exploit.<\/p>\n\n\n\n<p>The Ethereum-based DeFi space now holds around $79B in total value locked, erasing some of the gains due to <a href=\"https:\/\/tradersofcrypto.com\/news\/the-second-largest-cryptocurrency-hints-transition-to-the-upside\/\">ETH prices<\/a> falling under $3,000. A handful of smaller projects are now building up their liquidity, and hold the equivalent of 1B to 3B USD.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Vee Finance was the latest project to have its collateral liquidity drained, after a smart contract exploit that drained BTC and ETH collaterals.<\/p>\n","protected":false},"author":3,"featured_media":1478,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[344,343,5,377,378],"class_list":["post-1477","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorised","tag-avalanche","tag-avax","tag-defi","tag-pangolin","tag-vee","entry"],"_links":{"self":[{"href":"https:\/\/tradersofcrypto.com\/news\/wp-json\/wp\/v2\/posts\/1477","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/tradersofcrypto.com\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tradersofcrypto.com\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tradersofcrypto.com\/news\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/tradersofcrypto.com\/news\/wp-json\/wp\/v2\/comments?post=1477"}],"version-history":[{"count":0,"href":"https:\/\/tradersofcrypto.com\/news\/wp-json\/wp\/v2\/posts\/1477\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/tradersofcrypto.com\/news\/wp-json\/wp\/v2\/media\/1478"}],"wp:attachment":[{"href":"https:\/\/tradersofcrypto.com\/news\/wp-json\/wp\/v2\/media?parent=1477"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tradersofcrypto.com\/news\/wp-json\/wp\/v2\/categories?post=1477"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tradersofcrypto.com\/news\/wp-json\/wp\/v2\/tags?post=1477"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}