Eleven Finance’s Incident Analysis — Improper Withdrawal Logic on emergencyBurn() Function

Starting from Jun 22, 2021, 10:58:00 PM UTC, attacks were done on the Eleven Finance’s NeverSellVaults. Two attackers were using the same flaw to attack Eleven Finance.

Incident Analysis

Please consider the following transaction to be the example of this incident analysis:

Related Addresses

Attack Steps

  1. Flash loan from PancakeSwap and swap $BUSD to $nrvFUSDT

2. Deposit $nrvFUSDT to ElevenNeverSellVault contract, minting $11nrvFUSDT

3. Execute emergencyBurn() function, witdrawing $nrvFUSDT without burning $11nrvFUSDT

4. Withdraw $nrvFUSDT from ElevenNeverSellVault contract by burning $11nrvFUSDT

5. Swap $nrvFUSDT to $BUSD and payback flash loan fee

Code Analysis

The vulnerable code can be found in the following URL:

In the deposit() function of ElevenNeverSellVault contract, the Eleven share tokens are minted when depositing as shown below:

For the withdraw() function, the Eleven share tokens are also burned when withdrawing as follows:

However, in the emergencyBurn() function, the staked tokens are sent out without burning as shown above.

As a result, the attacker was able to use the emergencyBurn() function to get his tokens back without burning his shares. With the unburned shares and available tokens in the contract, when the attacker used the withdraw() function, the staked tokens in the contract were sent to the attacker address.

About Inspex

Inspex is formed by a team of cybersecurity experts highly experienced in various fields of cybersecurity. We provide blockchain and smart contract professional services at the highest quality to enhance the security of our clients and the overall blockchain ecosystem.

For any business inquiries, please contact us via Twitter, Telegram, contact@inspex.co




Cybersecurity professional service, specialized in blockchain and smart contract auditing https://twitter.com/InspexCo

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Unpacking the Issue of Missed Use And Misuse of Data

dToken & Vault Beta Test

$MASQ LP Mining on QuickSwap is LIVE!

Trust takes the plunge

THM: Bounty Hacker

Setup your iPhone for maximum privacy

Bitwarden Password Manager — Real Review

DRIP is 1 Year Old and Getting Better with Age.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Cybersecurity professional service, specialized in blockchain and smart contract auditing https://twitter.com/InspexCo

More from Medium

Knownsec Blockchain Lab | bHOME Reentry Attack Event Analysis

CARE a (pre)security audit of Sushi’s BentoBox Strategies

Managing Investment Portfolios Using Machine Learning

Without Permit: Multichain’s exploit explained