On the Vesper Lend Beta / Rari Fuse Pool #23 Exploit
Updated 2021–11–04–1200 ET
[UPDATE: 2021–11–04–1200 ET: An update from Jeff Garzik. Scroll to bottom.]
The Vesper Lend beta on Rari Fuse (Pool #23) was exploited today. To recap and provide some additional detail to what has been posted throughout the day on Twitter and our other channels, this is what we know. (This post will be updated as new information becomes available.)
Who Is Impacted?
Impacted users are:
- Depositors in Vesper Lend beta (i.e., Rari Fuse Pool #23)
The following users are not negatively impacted:
- Participants in Vesper Aggressive and Vesper Conservative Grow pools
- Participants in the Vesper Earn (beta) pool
What Is the User Impact?
As of this evening U.S. time, here’s how the aftermath of the exploit looks like for different users:
- Vesper Lend beta (Rari Fuse Pool #23): Users will see a higher APY across all tokens because of the debt taken on by the exploiter. However, vVSP holders will not be able to withdraw until more liquidity becomes available. For those who do want to withdraw, this will open up over the next few weeks — liquidity will slowly open up as the narrow channel of supply widens to meet the flow of demand.
- Vesper Grow (Aggressive): Funds are SAFU. Aggressive pools used Rari Fuse Pool #23 partially as a yield source. Users will also see a slightly higher APY here.
- Vesper Earn (Beta): Funds are SAFU. Similarly, users will see a slight APY bump. Vesper Earn uses the Vesper Aggressive DAI Pool as a yield source, which in turn used Rari Fuse Pool #23.
- Vesper Grow (Conservative): Funds are SAFU. These users are not affected, as no Conservative Grow pools used Rari Fuse Pool #23 as a yield source.
- VUSD Holders: Funds are SAFU. VUSD price was manipulated upward, but the collateral system remains solvent.
As soon as the community and VBC team became aware of the issue, it:
- Coordinated with Rari Capital, Yearn, and Uniswap to assess the situation and determine solutions.
- Paused borrowing of VUSD and vVSP on #23.
- Set VUSD’s collateral factor to “zero.”
- Paused all other activity to focus on addressing this exploit.
Going into Day Two, the VBC team continues its investigation and resolution and will continue to update the community.
How the Attack Worked
Here’s what appears to have occurred:
- As a first step, the attacker got 100 ETH from tornado.cash, so as to ensure privacy.
- They then swapped 58 ETH for USDC.
- Using this USDC, they purchased all available VUSD on Uniswap v3 0.05% fee tier, pushing that market out-of-range.
- They then created a new LP position of 0.1 USDC marked at a price of trillions of VUSD per USDC.
- The Uniswap v3 oracle therefore reported a price in the trillions for the 0.05% fee range.
- The Rari lending market received the VUSD price using the price feed from the Uniswap v3 oracle and valued VUSD collateral at a price of “infinity.”
- The attacker provided the purchased VUSD as collateral to Vesper Lend, which essentially gave them “infinite” collateral to borrow all available assets.
- The attacker used the VUSD collateral to borrow roughly 3.5 million in miscellaneous assets.
- 735 ETH accrued currently sit here.
The team is continuing to investigate the full impact of this exploit, working closely with Rari, Yearn, and Uniswap. We are assessing all options over the next 24 hours and will be paying close attention to the conversation on Discord. Look forward to an update within that timeframe.
The VBC and Rari teams continue to work together to assess any users who were liquidated due to the price manipulation attack.
Now that VUSD price is restored, the next step is turning liquidations back on, and getting the attacker off the platform.
Then the market will be ok and safe to use again (still at beta risk level).
It is our hope that we can make everybody whole, but we cannot make this promise, until we have done a full and complete accounting, which may stretch into early next week.
Some VVSP liquidity has already returned — You’re getting a great APY right now! — which means that others can start to withdraw their VVSP.