Eleven Finance’s Incident Analysis — Improper Withdrawal Logic on emergencyBurn() Function

3 min readJun 23, 2021

Starting from Jun 22, 2021, 10:58:00 PM UTC, attacks were done on the Eleven Finance’s NeverSellVaults. Two attackers were using the same flaw to attack Eleven Finance.

First Attacker:
https://www.bscscan.com/address/0xc71e2f581b77de945c8a7a191b0b238c81f11ed6
Second Attacker (The same address that attacked Impossible Finance):
https://www.bscscan.com/address/0x8e0d334a77614a7ce089c9246e9b1d7c7172ef02

Incident Analysis

Please consider the following transaction to be the example of this incident analysis:
https://www.bscscan.com/tx/0x16c87d9c4eb3bc6c4e5fbba789f72e8bbfc81b3403089294a81f31b91088fc2f

Related Addresses

Attacker: https://www.bscscan.com/address/0x8e0d334a77614a7ce089c9246e9b1d7c7172ef02
Attacker Contract: https://www.bscscan.com/address/0x6ce012f2a6fd6024b95e1bee2c75c603e4e71ce8

Attack Steps

Flash loan from PancakeSwap and swap $BUSD to $nrvFUSDT

2. Deposit $nrvFUSDT to ElevenNeverSellVault contract, minting $11nrvFUSDT

3. Execute emergencyBurn() function, witdrawing $nrvFUSDT without burning $11nrvFUSDT

4. Withdraw $nrvFUSDT from ElevenNeverSellVault contract by burning $11nrvFUSDT

5. Swap $nrvFUSDT to $BUSD and payback flash loan fee

Code Analysis

The vulnerable code can be found in the following URL:
https://www.bscscan.com/address/0x030970f2378748eca951ca5b2f063c45225c8f6c#code

In the deposit() function of ElevenNeverSellVault contract, the Eleven share tokens are minted when depositing as shown below:

For the withdraw() function, the Eleven share tokens are also burned when withdrawing as follows:

However, in the emergencyBurn() function, the staked tokens are sent out without burning as shown above.

As a result, the attacker was able to use the emergencyBurn() function to get his tokens back without burning his shares. With the unburned shares and available tokens in the contract, when the attacker used the withdraw() function, the staked tokens in the contract were sent to the attacker address.

About Inspex

Inspex is formed by a team of cybersecurity experts highly experienced in various fields of cybersecurity. We provide blockchain and smart contract professional services at the highest quality to enhance the security of our clients and the overall blockchain ecosystem.

For any business inquiries, please contact us via Twitter, Telegram, contact@inspex.co