Wault Finance Incident Analysis: $WEX Price Manipulation Using WUSDMaster Contract

Starting from Aug 04, 2021, 01:49:05 AM UTC, an attack was done using Wault Finance’s $WUSD pegging mechanism. In this article, we will describe the technical details of this issue step-by-step.

Related Addresses

Attack Steps

Based on the attack that happened on Binance Smart Chain, the attacker’s activity can be seen from the following transaction: https://bscscan.com/tx/0x31262f15a5b82999bf8d9d0f7e58dcb1656108e6031a2797b612216a95e1670e

1. The attacker flash loaned $WUSD from WSwap’s WUSD-USDT pool and redeemed it for $USDT and $WEX.

2. The attacker flash loaned $USDT from PCS’s WBNB-USDT pool to prepare for the attack.

3. The attacker swapped a part of the flash loaned $USDT to $WEX before the price is pumped in the next steps.

4. The attacker staked the flash loaned $USDT to WUSDMaster contract. The 10% of staked $USDT was swapped to $WEX ($WEX price was increased) and the attacker gained the $WUSD with a 1:1 rate.

5. Since there was a limit on the staking amount, the attacker performed step 4 repeatedly to increase the $WEX price with almost no cost.

6. With the manipulated rate, the attacker gained profit in $USDT by swapping $WEX from steps 1 and 3 back to $USDT.

7. The attacker returned the $WUSD and $USDT flash loaned.

8. The attacker swapped the remaining $WUSD and the $USDT profit to $ETH.

Code Analysis

Minting $WUSD can be done using the stake() function in WUSDMaster contract. The stake function accepts $USDT from the user in line 700 to mint $WUSD with the rate of 1:1 in line 715, and a portion of the $USDT received is swapped to $WEX using the ratio determined by the wexPermille variable in line 708–714.


With this logic, each staking of $USDT to mint $WUSD will cause the price of $WEX in the Wault USDT-WEX pool to increase.

After executing the stake() function, it is possible to swap the $WUSD back to $USDT by using WUSD-USDT pool with a nearly 1:1 rate in the WSwap AMM. As a result, the WUSDMaster contract can be used to pump the $WEX price with almost no cost for the attacker.


From this attack by using the flaw explained above. The attacker gained 370.19 ETH in total after repaying the flash loan.

Here is the announcement from Wault Finance regarding WUSD incident recap and solutions:

About Inspex

Inspex is formed by a team of cybersecurity experts highly experienced in various fields of cybersecurity. We provide blockchain and smart contract professional services at the highest quality to enhance the security of our clients and the overall blockchain ecosystem.

For any business inquiries, please contact us via Twitter, Telegram, contact@inspex.co




Cybersecurity professional service, specialized in blockchain and smart contract auditing https://twitter.com/InspexCo

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} Area F2 - Глобального Выпуска Hack Free Resources Generator

TraceTogether? More like TrackTogether

Search.searchdirma.com Removal Tips

What is captcha and ReCaptcha | Why websites use captcha and Recaptcha ? >>sidtalk.xyx

Cross-Site Request Forgery Protection Part-1

Enjoy new and Improved XcelPay Wallet Features!

Update On Mainnet AMA with the CEO

“Physical and cybersecurity need a comprehensive solution” says Rick Grinnell, Glasswing Ventures

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Cybersecurity professional service, specialized in blockchain and smart contract auditing https://twitter.com/InspexCo

More from Medium

Troubleshooting Binance API order errors

Detailed explanation of Ethereum smart contract vulnerabilities: Reentrancy vulnerability

Damn Vulnerable Defi Walkthrough Part Two: Challenge 7–12.

Re-Entrancy Attack