Welnance’s Incident Analysis — $WEL Price Manipulation

Starting from Nov-13–2021 07:15:12 PM UTC, Welnance was exploited by the manipulation of price in PancakeSwap’s WEL−USDT pair contract. In this article, we will describe the technical details of this attack step-by-step.

Related Addresses

Key Attack Steps

Transaction#1

Transaction URL: https://bscscan.com/tx/0x8e5fa0f5408e305f118c4b1af9d39614362674964bdba8d76ed85e31eb321955

  1. Flashloan 550,000 $USDT from USDT−WBNB pair on PancakeSwap

2. Supply 500,000 $USDT to Welnance’s lending pool as a collateral

3. Borrow 385,000 $WEL form Welnance’s lending pool

4. Manipulate price by swapping 385,000 $WEL to 42,738.840035601849495756 $USDT on PancakeSwap’s USDT−WEL pair

5. Redeem 492,013.211935781320397639 $USDT

6. Repay 551,402.5 $USDT for the flashloan

7. Send the 33,349.551971383169893395 $USDT profit to the attacker’s wallet

Transaction#2

Transaction URL: https://bscscan.com/tx/0xf7a9c59953763a57f412b2e45455e70192b44356c602f7c79ddbfa9cb05f440b

  1. Flashloan 1,000,000 $USDT from USDT−WBNB pair on PancakeSwap

2. Manipulate price by swapping 1,000,000 $USDT to 169,882.169378306740578468 $WEL on PancakeSwap’s pair

3. Supply 80 $WEL to Welnance’s lending pool as a collateral

4. Borrow 8,651 $USDT, 0.06 $BTCB, 0.7 ETH, and 5 $BNB form Welnance’s lending pool

5. Swap 169,802.169378306740578468 $WEL back to 999,893.35774469076614121 $USDT

6. Repay 1,002,550 $USDT for the flashloan

7. Send the 5,994.35774469076614121 $USDT, 0.7 $ETH, 0.06 $BTCB, and 5 $BNB profit to the attacker’s wallet

Root Cause

This attack is caused by an improper implementation of the price oracle, allowing the attacker to perform a price manipulation in the USDT−WEL pair on PancakeSwap.

Root Cause for Attack Transaction #1

The lending pool calculates the value of the borrowed $WEL directly using with the price from PancakeSwap without using the price from a reliable price source.

The main controller contract (Comptroller contract) set oracle address to WelPriceOracle.
https://bscscan.com/address/0xdc21c1dAF3277f07fFA6EB09fCD3E07EDc36DC0A#readProxyContract

The price of the $WEL is calculated using the getUnderlyingPrice() function that call the getAmountOut() function on pancake router.
https://bscscan.com/address/0x931b2556F6c7a6A1be2D580c6cbB77a2872A2c8C#code

The price before swapping is 0.74 USDT/WEL

The price after swapping is 0.016 USDT/WEL

Therefore, after the price is manipulated, the value of the $WEL borrowed was calculated using 0.016 $USDT as the price.

The total $USDT collateral that attacker can redeem is calculated by total collateral value subtracted by the value of $WEL after manipulation, so the attacker was able to redeem most of the attacker’s collateral from the pool.

Root Cause for Attack Transaction #2

This attack transaction use the same price source as attack transaction #1.

Due to the $USDT and the $WEL reserves in $WEL-$USDT pair on PancakeSwap is too low (around 30,000 $USDT and 160,000 $WEL. When the attacker swaps 1,000,000 $USDT to $WEL, the $WEL price can be manipulated to be very high.

With an abnormally high $WEL price, the $WEL that the attacker supplied to the lending pool has an extremely high value, so the attacker can borrow an excessive amount of token from the pool.

Conclusion

In summary, the attacker gained multiple assets which is worth more than $100K.

List of Drained Assets

Attack transaction #1

  • 385,000 $WEL

Attack transaction #2

  • 8,651 $USDT
  • 0.06 $BTCB
  • 0.7 $ETH

Total

  • 385,000 $WEL
  • 8,651 $USDT
  • 0.06 $BTCB
  • 0.7 $ETH
  • 5 $BNB

About Inspex

Inspex is formed by a team of cybersecurity experts highly experienced in various fields of cybersecurity. We provide blockchain and smart contract professional services at the highest quality to enhance the security of our clients and the overall blockchain ecosystem.

For any business inquiries, please contact us via Twitter, Telegram, contact@inspex.co

Cybersecurity professional service, specialized in blockchain and smart contract auditing https://twitter.com/InspexCo