Wault Finance Incident Analysis: $WEX Price Manipulation Using WUSDMaster Contract

Starting from Aug 04, 2021, 01:49:05 AM UTC, an attack was done using Wault Finance’s $WUSD pegging mechanism. In this article, we will describe the technical details of this issue step-by-step.

Related Addresses

Attack Steps

1. The attacker flash loaned $WUSD from WSwap’s WUSD-USDT pool and redeemed it for $USDT and $WEX.

2. The attacker flash loaned $USDT from PCS’s WBNB-USDT pool to prepare for the attack.

3. The attacker swapped a part of the flash loaned $USDT to $WEX before the price is pumped in the next steps.

4. The attacker staked the flash loaned $USDT to WUSDMaster contract. The 10% of staked $USDT was swapped to $WEX ($WEX price was increased) and the attacker gained the $WUSD with a 1:1 rate.

5. Since there was a limit on the staking amount, the attacker performed step 4 repeatedly to increase the $WEX price with almost no cost.

6. With the manipulated rate, the attacker gained profit in $USDT by swapping $WEX from steps 1 and 3 back to $USDT.

7. The attacker returned the $WUSD and $USDT flash loaned.

8. The attacker swapped the remaining $WUSD and the $USDT profit to $ETH.

Code Analysis


With this logic, each staking of $USDT to mint $WUSD will cause the price of $WEX in the Wault USDT-WEX pool to increase.

After executing the stake() function, it is possible to swap the $WUSD back to $USDT by using WUSD-USDT pool with a nearly 1:1 rate in the WSwap AMM. As a result, the WUSDMaster contract can be used to pump the $WEX price with almost no cost for the attacker.


Here is the announcement from Wault Finance regarding WUSD incident recap and solutions:

About Inspex

Inspex is formed by a team of cybersecurity experts highly experienced in various fields of cybersecurity. We provide blockchain and smart contract professional services at the highest quality to enhance the security of our clients and the overall blockchain ecosystem.

For any business inquiries, please contact us via Twitter, Telegram, contact@inspex.co