bEarn.Fi Incident Analysis — bVaults Improper Withdrawal Amount Handling

Started from 10:36:20 AM UTC on May 16th, 2021, bEarn.Fi’s BUSD vault was exploited due to improper withdrawal amount handling. In this post, we would describe the technical details of this issue step-by-step.

1. TL;DR

  • bEarn.Fi had assumed that the value of 1 ibBUSD (Alpaca Vault BUSD share token) is always equal to 1 BUSD.
  • This causes the withdraw() function in BvaultsStrategy contract to return less BUSD to the bVault contract than the actual amount withdrawn, resulting in a leftover balance in the BvaultsStrategy smart contract.
  • Whenever a new deposit is done, the leftover balance is re-staked into the farm contract again, causing the wantLockedTotal value to be improperly inflated.
  • For every withdrawal, as the wantLockedTotal is inflated, the withdrawn amount would be higher than the actual value deposited.
  • In this attack, the attacker wrote a smart contract to perform a flash loan from Cream.Finance, then deposit and withdraw repeatedly on bEarn.Fi BUSD Vault.
  • With the improperly inflated value, the attacker was able to gain profit in every set of depositing and withdrawing actions.

2. Related BSC Addresses

3. In-depth Technical Analysis

1. In BvaultsStrategy contract, the withdraw() function withdraw _wantAmt ibBUSD token from the farming contract (Alpaca Fair Launch), burn it to BUSD, then transfer _wantAmt BUSD to the vault.

BvaultsStrategy.sol

2. As burning 1 ibBUSD would result in more than 1 BUSD, some BUSD would be left in the BvaultsStrategy contact.

3. On the deposit function of BvaultsStrategy, if the strategy is an auto compound strategy, the _farm() function is called.

BvaultsStrategy.sol

4. In the _farm() function, the whole balance in the BvaultsStrategy contract, including the leftover balance from the previous withdrawal, is deposited into the farming contract. This causes the wantLockedTotal amount to be overly inflated.

BvaultsStrategy.sol

5. With an inflated wantLockedTotal value, a higher amount can be withdrawn from the vault.

BvaultsBank.sol

6. With this bug, the attacker can repeatedly deposit and withdraw to gain profit from the inflated wantLockedTotal value.

Please see the attack activity from the transaction detail below:

https://bscscan.com/tx/0x6bf610ecaf2f89f41bcad7aca4646199430839e7cf979fbcafa896e5126361d1
  1. The attacker flash loaned 7,814,952.39 BUSD from Cream.Finance.
  2. The attacker deposited the loaned amount together with the attacker’s own BUSD to the bEarn.Fi.
  3. The attacker withdrew the shares from bEarn.Fi.

As you can see in the above transaction, the attack is very simple. The attacker just repeatedly deposited and withdrew from bEarn.Fi.

There are 2 mistakes in the bEarn.Fi which are shown in the red and orange boxes in the screenshot above.

  • Orange Box: bEarn.Fi had assumed that the value of 1 ibBUSD (Alpaca Vault BUSD share token) is always equal to 1 BUSD. This causes the BvaultsStrategy contract to return less BUSD to the bVault contract than the actual amount withdrawn, resulting in a leftover balance in the BvaultsStrategy smart contract.
  • Red Box: The bVault contract miscalculated the user’s share because the wantLockedTotal was inflated. As a result, the withdrawn amount is higher than the actual value deposited.

4. Attack Summary

In summary, by repeating the attack hundreds of times in 24 transactions. The attacker gained 11,769,184.44 BUSD in total from bEarn.Fi BUSD vault.

For the complete detail, we have summarized the information for each transaction in the sheet below:

About Inspex

Inspex is formed by a team of cybersecurity experts highly experienced in various fields of cybersecurity. We provide blockchain and smart contract professional services at the highest quality to enhance the security of our clients and the overall blockchain ecosystem.

For any business inquiries, please contact us via Twitter, Telegram, contact@inspex.co

Cybersecurity professional service, specialized in blockchain and smart contract auditing https://twitter.com/InspexCo