Incident Summary
On 13 August 2024, VOW token was exploited for around $1.2 million. The usdRateSetter address (0xbA1be907f532Ff6bb0088279e0f3DCDdD693aC7c) in the VOW contract temporarily changed the exchange rate (usdRate) between VOW and vUSD from 1 to 100. A malicious actor exploited the new usdRate to obtain vUSD at 100 times the correct amount.
After the incident, the VOW team released a statement on X claiming that they were "testing the USD rate setter function of the v$ contract in order to mint v$ for the new lending pool and oracle functions".
The attack contract was deployed 110 days prior to the incident and executed within two blocks of the transaction that modified the usdRate. The usdRateSetter had performed similar operations on 1 March 2024, changing the usdRate to 200, then to 5, and finally to 1, suggesting that the attacker was monitoring for future changes to the usdRate and immediately executed the attack once the opportunity arose.
Key Transactions
Attack Flow
Addresses
- Exploiter wallet address: ETH 0x48de6bF9e301946b0a32b053804c61DC5f00c0c3
- Exploit contract: ETH 0xB7F221e373e3F44409F91C233477ec2859261758
- usdRateSetter: ETH 0xbA1be907f532Ff6bb0088279e0f3DCDdD693aC7c
Step by Step
Step two onwards is based on txn 0x758efef41e60c0f218682e2fa027c54d8b67029d193dd7277d6a881a24b9a561
- Two blocks before the attack, the usdRateSetter set the usdRate to 100. The usdRate had previously been set to one on 1 March 2024. This was not the first time the usdRateSetter had temporarily modified the usdRate. On 22 November 2023 and 1 March 2024 the usdRate was also temporarily changed to 150 and 200 respectively. However, these previous changes were not exploited.
- Having detected the rate change to 100, the attacker borrowed 1,486,625 VOW tokens from the Uniswap VOW-WETH pool and transferred them all to the VSCTokenManager contract. The purpose of this step was to burn the VOW tokens in exchange for vUSD.
- When the VSCTokenManager receives VOW tokens, it calculates the amount of vUSD that should be minted based on the usdRate. Since the usdRate was set to 100, the attacker received 100 vUSD for every VOW token burned. The attacker burned 1,486,625 VOW and therefore received 148,662,529 vUSD.
- The attacker used the vUSD to drain the VOW-vUSD pool, swapping out 148m vUSD for the 59m VOW tokens that were in the pool. The attacker then repaid 1,490,198 VOW tokens, for the initial borrow, to the VOW-WETH pool and used the remaining VOW to drain the VOW-USDT and VOW-WETH pools. In total they drained approximately 175 ETH, 595k USDT and 5.8M VOW.
The Stats
This incident is the second we've recorded with losses of more than $1M so far in August 2024 and the 70th of 2024 as a whole.
This attack serves as a stark reminder that any modification of critical contract parameters should be carefully reviewed and, ideally, advised by blockchain security experts before being executed on-chain. It highlights the importance of conducting regular audits. To keep up to date on the latest incident alerts and statistics follow @certikalert on X, or read our latest analysis on certik.com.
