Saddle Finance - REKT 2
Date: May 1, 2022
What Happened
Saddle Finance suffered a second major exploit, with attackers stealing $11 million and an additional $3.8 million rescued by BlockSec whitehat recovery. This incident elevated Saddle to position #43 on the rekt.news leaderboard, significantly higher than their previous January 2021 breach.
Financial Impact
• Stolen: $11 million (3,375 ETH in primary transaction + 557 ETH in secondary)
• Rescued by BlockSec: $3.8 million (1,357 ETH)
• Total exposure: ~$14.8 million
Technical Root Cause
The vulnerability existed in an older version of the MetaSwapUtils library that lacked proper virtual price calculations for LP token valuation during metapool swaps. Although Saddle published a fix in December following a near-miss with Synapse protocol ($8.2M exposure), the corrected code wasn't properly integrated into active metapool swap mechanisms.
Attack Vector
The exploit targeted Saddle Finance's sUSDv2 metapool (Synthetix sUSD paired with saddleUSD-V2 LP tokens). Attackers employed flash loans to execute a series of sUSD/saddleUSD-V2 swaps, manipulating LP token prices and profiting from the price differential when swapping back for sUSD.
Key Addresses & Transactions
• Exploiter address:
0x63341ba917de90498f3903b199df5699b4a55ac0• Primary hack tx:
0x2b023d65485c4bb68d781960c2196588d03b871dc9eb1c054f596b7ca6f7da56• Secondary hack tx:
0xe7e0474793aad11875c131ebd7582c8b73499dd3c5a473b59e6762d4e373d7b8• BlockSec recovery tx:
0x9549c0...Funds subsequently moved through Tornado Cash mixers.
Remediation
The December 2021 fix to MetaSwapUtils was available but required proper deployment across all affected swap functions to prevent similar attacks.