Eleven Finance’s Incident Analysis — Improper Withdrawal Logic on emergencyBurn() Function

Starting from Jun 22, 2021, 10:58:00 PM UTC, attacks were done on the Eleven Finance’s NeverSellVaults. Two attackers were using the same flaw to attack Eleven Finance.

Incident Analysis

Please consider the following transaction to be the example of this incident analysis:
https://www.bscscan.com/tx/0x16c87d9c4eb3bc6c4e5fbba789f72e8bbfc81b3403089294a81f31b91088fc2f

Related Addresses

Attack Steps

  1. Flash loan from PancakeSwap and swap $BUSD to $nrvFUSDT

2. Deposit $nrvFUSDT to ElevenNeverSellVault contract, minting $11nrvFUSDT

3. Execute emergencyBurn() function, witdrawing $nrvFUSDT without burning $11nrvFUSDT

4. Withdraw $nrvFUSDT from ElevenNeverSellVault contract by burning $11nrvFUSDT

5. Swap $nrvFUSDT to $BUSD and payback flash loan fee

Code Analysis

The vulnerable code can be found in the following URL:
https://www.bscscan.com/address/0x030970f2378748eca951ca5b2f063c45225c8f6c#code

In the deposit() function of ElevenNeverSellVault contract, the Eleven share tokens are minted when depositing as shown below:

For the withdraw() function, the Eleven share tokens are also burned when withdrawing as follows:

However, in the emergencyBurn() function, the staked tokens are sent out without burning as shown above.

As a result, the attacker was able to use the emergencyBurn() function to get his tokens back without burning his shares. With the unburned shares and available tokens in the contract, when the attacker used the withdraw() function, the staked tokens in the contract were sent to the attacker address.

About Inspex

Inspex is formed by a team of cybersecurity experts highly experienced in various fields of cybersecurity. We provide blockchain and smart contract professional services at the highest quality to enhance the security of our clients and the overall blockchain ecosystem.

For any business inquiries, please contact us via Twitter, Telegram, contact@inspex.co

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Inspex

Inspex

Cybersecurity professional service, specialized in blockchain and smart contract auditing https://twitter.com/InspexCo