Back to all stories
Blogs
Incident Analysis
Vow Incident Analysis
8/13/2024
Vow Incident Analysis

Incident Summary

On 13 August 2024, VOW token was exploited for around $1.2 million. The usdRateSetter address (0xbA1be907f532Ff6bb0088279e0f3DCDdD693aC7c) in the VOW contract temporarily changed the exchange rate (usdRate) between VOW and vUSD from 1 to 100. A malicious actor exploited the new usdRate to obtain vUSD at 100 times the correct amount.

After the incident, the VOW team released a statement on X claiming that they were "testing the USD rate setter function of the v$ contract in order to mint v$ for the new lending pool and oracle functions".

Vow 1

The attack contract was deployed 110 days prior to the incident and executed within two blocks of the transaction that modified the usdRate. The usdRateSetter had performed similar operations on 1 March 2024, changing the usdRate to 200, then to 5, and finally to 1, suggesting that the attacker was monitoring for future changes to the usdRate and immediately executed the attack once the opportunity arose.

Key Transactions

  • usdRate change: txn
  • Exploit transactions: txn1 | txn2
  • Attacker sold VOW: txn

Attack Flow

Addresses

Step by Step

Step two onwards is based on txn 0x758efef41e60c0f218682e2fa027c54d8b67029d193dd7277d6a881a24b9a561

  1. Two blocks before the attack, the usdRateSetter set the usdRate to 100. The usdRate had previously been set to one on 1 March 2024. This was not the first time the usdRateSetter had temporarily modified the usdRate. On 22 November 2023 and 1 March 2024 the usdRate was also temporarily changed to 150 and 200 respectively. However, these previous changes were not exploited.

Vow 2

  1. Having detected the rate change to 100, the attacker borrowed 1,486,625 VOW tokens from the Uniswap VOW-WETH pool and transferred them all to the VSCTokenManager contract. The purpose of this step was to burn the VOW tokens in exchange for vUSD.

Vow 3

  1. When the VSCTokenManager receives VOW tokens, it calculates the amount of vUSD that should be minted based on the usdRate. Since the usdRate was set to 100, the attacker received 100 vUSD for every VOW token burned. The attacker burned 1,486,625 VOW and therefore received 148,662,529 vUSD.

Vow 4

Vow 5

  1. The attacker used the vUSD to drain the VOW-vUSD pool, swapping out 148m vUSD for the 59m VOW tokens that were in the pool. The attacker then repaid 1,490,198 VOW tokens, for the initial borrow, to the VOW-WETH pool and used the remaining VOW to drain the VOW-USDT and VOW-WETH pools. In total they drained approximately 175 ETH, 595k USDT and 5.8M VOW.

The Stats

This incident is the second we've recorded with losses of more than $1M so far in August 2024 and the 70th of 2024 as a whole.

Vow 6

This attack serves as a stark reminder that any modification of critical contract parameters should be carefully reviewed and, ideally, advised by blockchain security experts before being executed on-chain. It highlights the importance of conducting regular audits. To keep up to date on the latest incident alerts and statistics follow @certikalert on X, or read our latest analysis on certik.com.