Decoding vETH Token’s $450K Exploit
Overview:
On November 14, 2024, the vETH token was exploited due to a business logic error in its lending mechanism. This exploit resulted in a loss of approximately $450k USD. The attack targeted interactions between the vETH token’s takeLoan
function and a liquidity-adding function in the Factory contract, which manipulates the state of Uniswap pairs. The attacker leveraged this flaw to acquire vETH tokens without incurring the intended cost.
About Project:
The vETH token (VirtualToken) is an ERC-20 token designed to facilitate token lending, wrapping, and unwrapping functionalities. It features a controlled loan mechanism, allowing only authorized factory contracts to call its takeLoan
function and manage user debt. The token also integrates access control through a whitelist and factory mechanism, ensuring that interactions are limited to approved entities.
Exploit Details:
Attacker Address: 0x713d2b652e5f2a86233C57Af5341Db42a5559Dd1 Attacker Contract: 0x351D38733DE3f1E73468d24401c59F63677000C9
Vulnerable Contract: 0x280A8955A11FcD81D72bA1F99d265A48ce39aC2E
Attack Transaction: 0x900891, 0x90db33, 0x1ae40f
Attack Process:
- The attacker started attack by taking a flash loan of 32,560 of Wrapped ETH (WETH) from the balancer vault.
The attacker identified a function in the Factory contract capable of calling the takeLoan
function from the vETH token contract.
This function was intended to manage liquidity by borrowing vETH against user deposits.
The attacker exploited this function to interact with Uniswap V2 pairs (e.g., vETH-BIF). By leveraging user BIF tokens, the function added liquidity to the pair and increased the pool’s constant x*y =k.
During this liquidity addition, the state of the Uniswap pool was manipulated. The attacker gained vETH tokens as a result of the inflated pool state, bypassing the intended costs.
The attacker executed this process across multiple Uniswap V2 pairs, including vETH-BIF, vETH-Cowbo, and vETH-BOVIN.
The attacker converted the gained vETH tokens to other assets, extracting approximately $450,000.
The Root Cause
The root cause of the hack was a flawed interaction between the takeLoan
function in the vETH contract and the liquidity-adding function in the Factory contract. This function allowed state manipulation of Uniswap pools, enabling the attacker to inflate the pool's constant product and mint vETH without proper cost.
Flow of Funds
See the funds flow here
How could they have prevented the Exploit?
- The Factory contract should have included strict checks to ensure that adding liquidity to Uniswap pools does not inadvertently manipulate the pool’s constant product or allow unintended gains.
- The
takeLoan
function should have incorporated additional checks to validate the context and intent of its calls, ensuring it could not be exploited through liquidity-adding operations. - Collaborate with reputable auditors like QuillAudits to analyse smart contracts and identify vulnerabilities.
Why QuillAudits?
Choosing a reputable audit firm like QuillAudits ensures that your protocol undergoes rigorous scrutiny from experienced security professionals. QuillAudits specializes in uncovering critical vulnerabilities and providing actionable remediation strategies. Our expertise helps safeguard your project from attacks, ensuring that security issues are addressed proactively.