Eleven Finance’s Incident Analysis — Improper Withdrawal Logic on emergencyBurn() Function
Starting from Jun 22, 2021, 10:58:00 PM UTC, attacks were done on the Eleven Finance’s NeverSellVaults. Two attackers were using the same flaw to attack Eleven Finance.
- First Attacker:
- Second Attacker (The same address that attacked Impossible Finance):
Please consider the following transaction to be the example of this incident analysis:
- Attacker: https://www.bscscan.com/address/0x8e0d334a77614a7ce089c9246e9b1d7c7172ef02
- Attacker Contract: https://www.bscscan.com/address/0x6ce012f2a6fd6024b95e1bee2c75c603e4e71ce8
- Flash loan from PancakeSwap and swap $BUSD to $nrvFUSDT
2. Deposit $nrvFUSDT to ElevenNeverSellVault contract, minting $11nrvFUSDT
emergencyBurn() function, witdrawing $nrvFUSDT without burning $11nrvFUSDT
4. Withdraw $nrvFUSDT from ElevenNeverSellVault contract by burning $11nrvFUSDT
5. Swap $nrvFUSDT to $BUSD and payback flash loan fee
The vulnerable code can be found in the following URL:
deposit() function of ElevenNeverSellVault contract, the Eleven share tokens are minted when depositing as shown below:
withdraw() function, the Eleven share tokens are also burned when withdrawing as follows:
However, in the
emergencyBurn() function, the staked tokens are sent out without burning as shown above.
As a result, the attacker was able to use the
emergencyBurn() function to get his tokens back without burning his shares. With the unburned shares and available tokens in the contract, when the attacker used the
withdraw() function, the staked tokens in the contract were sent to the attacker address.
Inspex is formed by a team of cybersecurity experts highly experienced in various fields of cybersecurity. We provide blockchain and smart contract professional services at the highest quality to enhance the security of our clients and the overall blockchain ecosystem.