SlowMist: Value DeFi vSwap Module Hack Analysis

According to the news from SlowMist Zone, Value Defi, a Binance Smart Chain DeFi project, was been hacked today. The SlowMist get involved immediately and share the result in a form of a newsletter for your reference.

Attack analysis

2. At the meanwhile, the attacker make a flashloan, so vSwap contract will transfer the vBSWAP token and WBNB to the attacker.

3. Before completing the entire exchange process and updating the amount of tokens in the pool, different algorithms will be selected according to whether the tokenWeight0 parameter of the pool is 50 to check whether the amount of tokens in the pool meets expectations.

4. Since the tokenWeight0 parameter of the vSwap contract is set to 70, the second algorithm will be used to check the amount of tokens in the pool.

5. The key point of the vulnerability is that when the second algorithm is used for inspection, the inspection can be passed through specially constructed data.

6. The second algorithm is checked by calling the ensureConstantValue function of the formula contract and passing in the amount of tokens cached in the pool and the amount of real-time tokens.

7. After specific analysis and debugging of this algorithm, we can find that when using WBNB to exchange the smallest unit (ie 0.000000000000000001) vBSWAP, a huge fluctuation range is allowed between the WBNB value cached in the pool and the real-time value. This algorithm check within this range will pass.

8. Therefore, the attacker can transfer to WBNB to exchange the smallest unit of vBSWAP tokens, and at the same time lend a large amount of WBNB tokens in the pool through flash loan. Due to algorithm problems, they can still pass vSwap check without repaying the flash loan.

9. The attacker only needs to repeat this process continuously in all vSwap pools to steal the liquidity in the pool and complete the profit.

Reference link:

About us

Focuses on Blockchain Ecosystem Security, have served over 1k+ customers.