Post-Mortem — Flash-Loan Exploit in single NXUSD Market

Nereus Community,

Yesterday, the AVAX/USDC Joe LP NXUSD market was exploited, resulting in the creation of $500k NXUSD bad debt in the NXUSD protocol.

At approximately 10:30PM UTC on September 6th, the Nereus team notified the community of an incident through the community discord; this was later picked up by CertiK and other on-chain analysis groups and reported broadly as a flash-loan exploit resulting in a $371k gain.

In the hours that followed, Nereus quickly consulted security experts, developed a mitigation plan, and notified law enforcement to support efforts. In response, the Nereus team has mitigated the exploit by liquidating and pausing the exploited JLP market.

The team has also paid off the bad debt using NXUSD from the Team’s treasury. No users funds are at risk, and NXUSD continues to be over collateralised.

In addition, no part of the lending and borrowing protocol was ever at risk.

So what happened?

An exploiter was able to deploy a custom smart contract and that leveraged a $51M flash loan to manipulate the AVAX/USDC Trader Joe LP pool price for a single block resulting in the ability for the exploiter to mint 998,000NXUSD against ~$508k worth of collateral.

How did this happen?

We recently launched one of our newest collateral types, supporting AVAX/USDC Trader Joe LP tokens. However, there was a missed step in the price calculation resulting in the opportunity to be exploited.

The price calculation was based on the current wAvaxReserve price, usdcReserve price, and totalSupply taken on-chain from the TraderJoe Pool directly without any time weighted average price mechanism implemented in order to prevent potential single block manipulation.

Thanks to @PeckShield for this image

LP price = (wavaxReserve * avaxPrice + usdcReserve * usdcPrice) / totalSupply

As you can see wavaxReserve, usdcReserve, and totalSupply were susceptible to price manipulation due to lack of TWAP calculation. This is shown here in the manipulated pool price chart:

AVAX/USDC Trader Joe Pool — spike is at Block Height: 19613453

Now let’s look at the exploit transaction:

https://snowtrace.io/tx/0x0ab12913f9232b27b0664cd2d50e482ad6aa896aeb811b53081712f42d54c026

The exploiter deployed a custom contract that facilitated this trade in a single block in advance of the exploit.

How did the exploiter pull this off in a single block?

1. Call Flash loan of 51,000,000 USDC in AAVE v3
2. Swap 280,000 USDC => 14,735 WAVAX in the wAVAX/USDC Joe pool
3. Add liquidity 260,000 USDC and 13,401 WAVAX to Joe pool (resulting in the acquisition of 0.04533097793130507 JLP token).
4. Swap the remaining 50,460,000 USDC => 505,213 WAVAX in Joe pool, pushing the equivalent pool price up to ~$98 per WAVAX.
5. Call borrow function in NXUSD market and deposit 0.04533097793130507JLP, and borrow 998,000 NXUSD from market. [Collateral value now calculated value of ~0.0453JLP = $1,330M USD; when real market value was ~$500K USD]
6. Swap 506,547 WAVAX (505,213 + (14,735–13,401)) => 50,426,896 USDC in Joe pool
7. Swap 998,000 NXUSD => 955,678 avCRV in NXUSD Factory 3crv pool
8. Swap 955,678 avCRV => 977,269 USDC.e in 3crv pool.
9. Swap 977,269 USDC.e => (173,238 + 796,772) 970,010 USDC.
10. Repay flash loan 51,025,500 USDC to AAVE v3.

Outcome for Exploiter: (970,010 + 50,426,896) — 51,025,500 = 371,406 USDC profit.

The protocol acted as anticipated and the NXUSD market for JLP tokens was limited to $1M, as set as a security limit. While unfortunate, this was a good battle test of the protocol and the protocol performed as expected.

Will this happen again?

No, going forward TWAP calculations will be implemented along with other upgrades to pricing feeds for collateral assets that do not have Chainlink oracles. In addition, all other markets in the NXUSD protocol are based on Chainlink oracles except for the price of avCRV which is provided through the virtual price as well as support from Chainlink oracles for each underlying token (USDC, DAI, USDT).

Was Lending and Borrowing exploited?

No, the Lending and Borrowing protocol on https://app.nereus.finance was not affected by this exploit. The lending and borrowing platform continues to operate as expected and is offering WXT bonus as well as strong variable rates currently.

What is next?

The team has paid off the bad debt, the Curve pool is back in balance. The team continues to work toward identifying the bad actor and is offering a 20% White Hat reward for the return of the funds — no questions asked. Concurrently we have reached out to different resources to help us track the movement of funds as we attempt to recover.

In addition, the team will be amending our audit and security practices in order to ensure these types of events do not occur in the future. While this exploit is a bad incident — it’s not uncommon for protocols to face these types of battle tests. As we are about to aggressively expand — we will continue to invest in our capabilities and risk mitigation strategies.

-Zeus

Be sure to join us at https://discord.gg/nereus

Follow us on twitter https://twitter.com/nereusfinance

Check out our Free mint free NFT Launch on September 22nd.

Join the premint here: https://www.premint.xyz/nereus/