SlowMist: Value DeFi vSwap Module Hack Analysis

According to the news from SlowMist Zone, Value Defi, a Binance Smart Chain DeFi project, was been hacked today. The SlowMist get involved immediately and share the result in a form of a newsletter for your reference.

Attack analysis

1. The attacker fisrtly swap 0.05 WBNB for vBSWAP token.

2. At the meanwhile, the attacker make a flashloan, so vSwap contract will transfer the vBSWAP token and WBNB to the attacker.

3. Before completing the entire exchange process and updating the amount of tokens in the pool, different algorithms will be selected according to whether the tokenWeight0 parameter of the pool is 50 to check whether the amount of tokens in the pool meets expectations.

4. Since the tokenWeight0 parameter of the vSwap contract is set to 70, the second algorithm will be used to check the amount of tokens in the pool.

5. The key point of the vulnerability is that when the second algorithm is used for inspection, the inspection can be passed through specially constructed data.

6. The second algorithm is checked by calling the ensureConstantValue function of the formula contract and passing in the amount of tokens cached in the pool and the amount of real-time tokens.

7. After specific analysis and debugging of this algorithm, we can find that when using WBNB to exchange the smallest unit (ie 0.000000000000000001) vBSWAP, a huge fluctuation range is allowed between the WBNB value cached in the pool and the real-time value. This algorithm check within this range will pass.

8. Therefore, the attacker can transfer to WBNB to exchange the smallest unit of vBSWAP tokens, and at the same time lend a large amount of WBNB tokens in the pool through flash loan. Due to algorithm problems, they can still pass vSwap check without repaying the flash loan.

9. The attacker only needs to repeat this process continuously in all vSwap pools to steal the liquidity in the pool and complete the profit.

Reference link:

About us

SlowMist Technology is a company focused on blockchain ecosystem security. It has served many top or well-known projects around the world through “the security solution that integrated the threat discovery and threat defense while tailored to local conditions” and has nearly a thousand commercial customers. SlowMist’s security solutions include security audit, threat intelligence (BTI), bug bounty, defense deployment, security consultant, and other services. SlowMist is equipped with cryptocurrency anti-money laundering (AML), false top-up scanner, vulnerability scanner, and vulnerability monitoring (Vulpush), hacked project archives (SlowMist Hacked), smart contract firewall (FireWall.X), Safe Staking and other SAAS security products. It has been widely concerned and recognized by the industry.




Focuses on Blockchain Ecosystem Security, have served over 1k+ customers.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Scanning IP Address Version 4

CEO of Xpass: Digital identity is not a technological problem, it is a legal problem

Taraxa Top Block Producer winners for Week-48, 2021

How to Create a Culture of Cybersecurity at Your Company

The #bounty program is running on #GameJetNetwork

Could IPSX be a solution for some of the problems imposed by the net neutrality repeal?

Hack The Box (Grandpa/Granny)

Vulnerability Capstone — Tryhackme

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Focuses on Blockchain Ecosystem Security, have served over 1k+ customers.

More from Medium

Uniswap V3 LP Guide [EN/KR]

How to DeFi Beginner(second part)

DeFi Security Lecture 5-Overflow and Underflow Vulnerability

Bumper partners with Visor for management of BUMP-ETH liquidity on Uniswap v3