On 13 August 2024, VOW token was exploited for around $1.2 million. The usdRateSetter address (0xbA1be907f532Ff6bb0088279e0f3DCDdD693aC7c) in the VOW contract temporarily changed the exchange rate (usdRate) between VOW and vUSD from 1 to 100. A malicious actor exploited the new usdRate to obtain vUSD at 100 times the correct amount.
After the incident, the VOW team released a statement on X claiming that they were "testing the USD rate setter function of the v$ contract in order to mint v$ for the new lending pool and oracle functions".
The attack contract was deployed 110 days prior to the incident and executed within two blocks of the transaction that modified the usdRate. The usdRateSetter had performed similar operations on 1 March 2024, changing the usdRate to 200, then to 5, and finally to 1, suggesting that the attacker was monitoring for future changes to the usdRate and immediately executed the attack once the opportunity arose.
Addresses
Step by Step
Step two onwards is based on txn 0x758efef41e60c0f218682e2fa027c54d8b67029d193dd7277d6a881a24b9a561
This incident is the second we've recorded with losses of more than $1M so far in August 2024 and the 70th of 2024 as a whole.
This attack serves as a stark reminder that any modification of critical contract parameters should be carefully reviewed and, ideally, advised by blockchain security experts before being executed on-chain. It highlights the importance of conducting regular audits. To keep up to date on the latest incident alerts and statistics follow @certikalert on X, or read our latest analysis on certik.com.