Open in app

Sign in

Write

Sign in

SlowMist: An Analysis of the Attack on Wault.Finance (Released in 2021)

SlowMist
5 min readMay 9, 2023

--

On August 4, 2021, at 10:23 AM, SlowMist Zone captured intelligence indicating that the WUSDMaster contract of Wault.Finance was suspected to have been hacked. The SlowMist security team immediately intervened to analyze the situation, and the following is a detailed analysis of the incident.

Incident related information

Attacker address: 0x886358f9296de461d12e791bc9ef6f5a03410c64

Attacker contract address A: 0xaa895873a268a387e38bd841c51d2804071197a1

Attacker contract address B: 0x50afa9383ea476bdf626d6fba62afd0b01c8fea1

Target project: https://app.wault.finance/bsc/#wusd

Target project address: 0xa79fe386b88fbee6e492eeb76ec48517d1ec759a (Wault.Finance’s WUSDMaster contract)

Background of the Parties Involved

Attacker: The hacker created an attack contract address A and launched the attack in the constructor function.

Targeted Project: WUSDMaster is a contract for staking BSC_USDT to obtain WUSD, which can be redeemed for BSC_USDT. During the process, a portion of the funds is transferred to the Treasury, and WUSDMaster uses WEX to subsidize users.

The core point of the attack

In the stake function of the WUSDMaster contract, BSC_USDT and WUSD are exchanged at a 1:1 ratio during the pledge process, but it also performs a swap operation, which can be exploited by hackers for arbitrage.

The core issue: allowing a 1:1 exchange of BSC_USDT and WUSD in the WUSDMaster contract’s stake function, while the swap operation in WUSDMaster also causes the tokens in the WaultSwapPair(BSC_USDT-WEX) pool to become imbalanced, creating arbitrage opportunities.

Note: BSC_USDT and WUSD can also be understood as being priced at a 1:1 ratio.

Attack analysis

Attack transaction Txid: 0x31262f15a5b82999bf8d9d0f7e58dcb1656108e6031a2797b612216a95e1670e

Attack contract address: 0xaa895873a268a387e38bd841c51d2804071197a1

Attacker address: 0x886358f9296de461d12e791bc9ef6f5a03410c64

Attacked project address: 0xa79fe386b88fbee6e492eeb76ec48517d1ec759a (wault.Finance’s WUSDMaster contract)

We can divide the process into 3 stages: preparing arbitrage funds, constructing arbitrage space, and implementing arbitrage.

Step 1: Obtain initial attack funds through flash loans

  1. Borrowed 16,839,004 WUSD from WaultSwapPair (BSC_BUSD-WUSD) through a flash loan.
  2. Called the redeem function in the WUSDMaster contract to burn the WUSD borrowed through flash loans and exchange it for BSC_USDT and WEX.
  3. Borrowed 40,000,000 BSC_USDT from PancakePair (WBNB-BSC_USDT) through a flash loan.
  4. Exchanged 23,000,000 BSC_USDT for WEX in WaultSwapPair (BSC_USDT-WEX). At this point, the attacker has prepared for arbitrage.

WEX Quantity: 624,440,724 = 106,502,606 + 517,938,118

Source of WEX: redeem operation + Exchange in WaultSwapPair (BSC_USDT-WEX)

Step 2: Creating an arbitrage opportunity by causing imbalance in the BSC_USDT-WEX pool

  1. Called the stake function in the WUSDMaster contract multiple times (68 times).

2. The stake function executes the wswapRouter.swapExactTokensForTokensSupportingFeeOnTransferTokens to swap some of the staked BSC_USDT for WEX, which reduces the amount of WEX in the WaultSwapPair (BSC_USDT-WEX) pool and increases its value.

3. After multiple stakes, the BSC_USDT-WEX pool has more BSC_USDT and less WEX, creating an arbitrage opportunity.

4. Moreover, the attacker uses a 1:1 exchange rate of BSC_USDT and WUSD each time they call the stake function, causing additional imbalance in the BSC_USDT-WEX pool without loss.

Step 3: Conducting arbitrage and repaying flash loans

  1. The attacker exchanges the prepared WEX for more BSC_USDT in the already imbalanced BSC_USDT-WEX pool; 624,440,724 WEX => 25,930,747 BSC_USDT.
  2. After repaying the flash loan with the WUSD obtained from multiple (68 times) calls to the stake function, the remaining 110,326 WUSD are exchanged for BSC_BUSD through WaultSwapPair (BSC_BUSD-WUSD); 110,326 WUSD => 109,284 BSC_BUSD.
  3. The obtained BSC_USDT and BSC_BUSD are then exchanged for BEP_ETH after repaying the flash loans.

MistTrack Analysis

The SlowMist AML team analyzed the attack and estimated that the attacker gained 370 BEP_ETH, and transferred the funds through Anyswap, resulting in a loss of approximately $930,000.

Fund Flow Analysis

The SlowMist AML team found the following wallet addresses related to the attacker(0x886358f9296De461d12e791BC9Ef6F5a03410C64):

The SlowMist AML team’s MistTrack anti-money laundering tracking system found that the attacker first withdrew funds from Binance to obtain the initial capital, and then deployed the contract.

Through three operations, the attacker exchanged ETH for anyETH and then cross-chained the obtained ETH to an Ethereum address: 0x886358f9296De461d12e791BC9Ef6F5a03410C64 through a cross-chain platform.

It is worth noting that:

  1. The cross-chain Ethereum address, 0x886358f9296De461d12e791BC9Ef6F5a03410C64, had a transaction that was sent to Binance.

2. The initial transaction to the attacker’s profit address was a transfer of 100 ETH from the mixer platform Tornado.Cash.

Event Timeline (UTC)

  • 1:25:07 Attacker withdraws 100 ETH from Tornado Cash
  • 1:27:09 Attacker deposits 1 ETH to Binance
  • 1:35:24 Attacker withdraws 2 BNB to BSC from Binance
  • 1:35:27 Attacker withdraws 0.72213159 ETH to BSC from Binance
  • 1:43:52–1:49:05 Attacker deploys the contract and executes the attack on BSC

As of now, the attacker’s profit address 0x886358f9296De461d12e791BC9Ef6F5a03410C64 has a balance of 468.99 ETH.

Summary

This attack is a classic example of using flash loans for arbitrage. Due to the design flaws in the economic model, attackers can conduct arbitrage attacks on the WaultSwapPair (BSC_USDT-WEX) pool. During the development of a project, it is recommended that third-party professional teams or experts conduct scenario-based analysis on the project’s attack surface in various DeFi scenarios, identify possible attack surfaces, optimize and reinforce the project from an economic model and architectural design perspective.

The SlowMist security team has added the attacker’s address to the AML system for monitoring and used the linkage capability of the AML system to block the attacker’s funds as much as possible.

Reference attack transaction:

https://bscscan.com/tx/0x31262f15a5b82999bf8d9d0f7e58dcb1656108e6031a2797b612216a95e1670e

About SlowMist

SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, O3Swap, etc.

Website:
https://www.slowmist.com
Twitter:
https://twitter.com/SlowMist_Team
Github:
https://github.com/slowmist/

Blockchain
Security
Hacking

--

--

SlowMist
SlowMist

Written by SlowMist

3.4K Followers
6 Following

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams