Belt Finance V2 Incident: Exploit Analysis
TL;DR
- Belt Finance V2 has suffered from the Flash Loan Attacks which led to the more than $6M BUSD loss at May-29–2021 07:09:34 PM +UTC
- The incident happened in the new multi-strategy vaults introduced in V2
- SOOHO audited the V1 three months ago and did not participate in V2
- Keep the safety of your Defi project with continuous security
Disclaimer
SOOHO follows responsible disclosure and the purpose of the article is to provide accurate information to the community. SOOHO has assessed a security audit for Belf Finance V1 but unfortunately, we did not participate in V2 where this incident occurred.
About Belt Finance
Belt Finance is a stableswap AMM protocol incorporating multi-strategy yield optimization. It is running on Binance Smart Chain (BSC) and recently they support the Huobi ECO chain (HECO).
What changes in V2?
With the explosive growth of Belt Finance V1 that only supports Venus protocol strategy, Belt updated into V2 supporting multiple pools with multiple yield strategy for yielding across the BSC Defi services.
Belt V2 induces deposits and withdrawals through an incentive bonus system so that the proportion of assets in the 4Belt pool is 25% each. Also, the price of each asset is calculated by aggregating relevant strategies.
What happened in the transaction?
The attacker manipulates the BUSD-USDT price through the Ellipsis and uses the Venus Strategy of BUSD. A total of 8 transactions used in the incident. Only the first transaction includes step 2. Transactions have several steps as below.
STEP #1. Flash Loans
The attacker used 8 flash loans about $387m from the PancakeSwap
STEP #2. Deposit $10m BUSD in bEllipsisBUSD
The attacker deposited $10m BUSD in Ellipsis Strategy. Only the first transaction includes the current step. It is used for manipulating the BUSD-USDT pair price in step 4.
STEP #3. Deposit $187m BUSD in bVenusBUSD
The attacker deposited $187m BUST in Venus Strategy and accordingly, the attacker gets $184m beltBUSD token.
STEP #4. Swap $190m BUSD to $170m USDT through Ellipsis
Through the swapping BUSD and USDT in Ellipsis, BUSD-USDT pair price is manipulated.
STEP #5. Withdraw $187m and extra $11 BUSD from bVenusBUSD
The attacker has $187m beltBUSD through step 3, but the price has already been manipulated through step 4. As a result, the attacker was able to withdraw $11m BUSD more than the deposited funds ($187m BUSD) from Venus Strategy.
The root cause was because Belt V2 calculates the MultiStrategyToken price with aggregating strategies.
In other words, the manipulated price in the Ellipsis affects Belt Finance V2 through the below code.
STEP #6. Swap back the $170 USDT to $189m BUSD through Ellipsis
The attacker swap $170 USDT back to the Ellipsis and got $189m BUSD back. (Actual exploit is $0.6m)
STEP #7. Deposit back the $197m BUSD to bVenusBUSD
The attacker deposits $197m BUSD back to the Venus Strategy. We need to remark that the original withdrawal is $198m in step 5.
STEP #8. Repeat from Step 3 to Step 7 multiple times
The attacker repeated the steps from 3 to 7 over 7 times.
STEP #9. Payback the flash loans
The attacker pays back the flash loans from step 1 for the last. And moreover, the attacker repeats the whole steps (i.e., transactions) multiple times.
Updates
- We are sharing blacklist addresses with VASPs to track and freeze funds.
- Belt Team announced the detailed report https://medium.com/belt-finance/may-29-incident-report-865d20cc46ca
About SOOHO
SOOHO provides an automated way for blockchain-based companies to improve the level of security with our smart contract analyzing program ‘Odin’. Odin has detected vulnerabilities of various blockchain SW including tokens, DeFi, Dapp, Hyperledger Apps, and Mainnet project. It can actually detect security vulnerabilities in smart contracts and even suggest a way to fix them in real-time. More information can be found on our website (www.sooho.io).
