Value DeFi

Value DeFi Hack - May 5, 2021 ($10M)

Overview

Value DeFi, a Binance Smart Chain DeFi project, was hacked in May 2021. There were actually two separate incidents in early May 2021:

On May 5th 2021, at 3:22 AM UTC, the exploiter re-initialized the pool and set the operator role to himself and _stakeToken to HACKEDMONEY. The hacker obtained a ten million dollar prize without even taking out a loan.

About $11M was stolen from non 50/50 pools, as scammers managed to exploit its automated market maker (AMM) known as vSwap.

Technical Details

The attacker made a flash loan, so the vSwap contract transferred tokens to the attacker, and the key vulnerability was that the inspection could be passed through specially constructed data. During setup of the profit-sharing vStake pool, the code was migrated from the old implementation but a critical line was not included.

The combined losses from both incidents totaled approximately $21 million in Value DeFi's ecosystem on the Binance Smart Chain.

Sources

• https://slowmist.medium.com/slowmist-value-defi-vswap-module-hack-analysis-64e8909ef6a2

• https://www.quadrigainitiative.com/hackfraudscam/valuedefionsaleagain.php

• https://rekt.news/value-rekt2

• https://ironfinance.medium.com/07-may-2021-value-defi-incident-part-1-b4f2a7a1a2b2

• https://docs.valuedefi.io/products/vSwap