Eleven Finance’s Incident Analysis — Improper Withdrawal Logic on emergencyBurn() Function

3 min readJun 23, 2021

Starting from Jun 22, 2021, 10:58:00 PM UTC, attacks were done on the Eleven Finance’s NeverSellVaults. Two attackers were using the same flaw to attack Eleven Finance.

Incident Analysis

Please consider the following transaction to be the example of this incident analysis:

Related Addresses

Attack Steps

  1. Flash loan from PancakeSwap and swap $BUSD to $nrvFUSDT

2. Deposit $nrvFUSDT to ElevenNeverSellVault contract, minting $11nrvFUSDT

3. Execute emergencyBurn() function, witdrawing $nrvFUSDT without burning $11nrvFUSDT

4. Withdraw $nrvFUSDT from ElevenNeverSellVault contract by burning $11nrvFUSDT

5. Swap $nrvFUSDT to $BUSD and payback flash loan fee

Code Analysis

The vulnerable code can be found in the following URL:

In the deposit() function of ElevenNeverSellVault contract, the Eleven share tokens are minted when depositing as shown below:

For the withdraw() function, the Eleven share tokens are also burned when withdrawing as follows:

However, in the emergencyBurn() function, the staked tokens are sent out without burning as shown above.

As a result, the attacker was able to use the emergencyBurn() function to get his tokens back without burning his shares. With the unburned shares and available tokens in the contract, when the attacker used the withdraw() function, the staked tokens in the contract were sent to the attacker address.

About Inspex

Inspex is formed by a team of cybersecurity experts highly experienced in various fields of cybersecurity. We provide blockchain and smart contract professional services at the highest quality to enhance the security of our clients and the overall blockchain ecosystem.

For any business inquiries, please contact us via Twitter, Telegram, contact@inspex.co




Cybersecurity professional service, specialized in blockchain and smart contract auditing https://twitter.com/InspexCo