Vee Finance

Raw content extract from web search (WebFetch tool not available).

Vee Finance Hack — September 21, 2021

Summary

Vee Finance, an Avalanche-based DeFi lending platform, was exploited for ~$35M on September 20–21, 2021, just one week after launch. The attacker drained 8,804.7 ETH (~$26M) and 213.93 BTC (~$9M).

Technical Vulnerabilities

1. Single-Oracle Vulnerability — The protocol used only a single oracle for price information; the oracle was configured to rely solely on the price from the Pangolin (DEX) pool, making the entire system susceptible to price manipulation via low-liquidity AMM pools.

2. Decimal-Processing Error — The price calculations used to evaluate trades had a fundamental mathematical error: lack of proper decimals processing in the price acquisition function. Decimal places were not appropriately handled, leading to calculation errors particularly problematic for tokens with significantly different decimals.

Audit History

• A prior SlowMist audit had raised multiple concerns about Vee Finance's use of oracles. These concerns were ignored by the protocol prior to deployment.

Impact

• ~8,804.7 ETH (~$26M) and 213.93 BTC (~$9M) drained.

• Total loss ~$35M.

• This was the second major exploit on Avalanche after Zabu Finance earlier that month.

Response

• Vee Finance suspended its contracts.

• Posted a public attack analysis on Medium.

• Engaged with the security community on tracing and remediation.