The Main Cause of Vee Finance Attack

  1. The oracle machine has a single source of price feed, and the refresh conditions are affected by the real-time number of tokens in the Pangolin pool (the pool price fluctuates by 3%, and it will be refreshed).
  2. Price acquisition has not been processed for decimals.
  1. When performing margin trading, the createOrderERC20ToERC20 function in the following code block will be called to create an order.
  2. When an order is created, the token exchange will be carried out through line 5 of the following code block.
  3. Before the token exchange, the expected slippage will be checked through the getAmountOutMin function on line 9 of the following code block.
  4. During slippage check, the priceA and PriceB quotes of the oracle will be obtained through lines 12 and 13 of the following code block, and then the number of TokenA that can be exchanged for TokenB at the current price is calculated through line 15 of the following code block. Finally, compare with the number of tokens acquired in the Pangolin pool. If the number of TokenB tokens that can be exchanged in the pool is greater than or equal to the expected number of TokenB that can be exchanged using the oracle, then it can be judged that the pool price is correct and not controlled, and the order creation logic is continued.
  1. After the oracle machine obtains the token price, it should be processed with uniform decimals.
  2. No support for tokens with a single source of price feed.
  3. Modify the contract call check to: require(msg.sender == tx.origin)
  4. Whitelist restrictions on the target pair of margin trading.
  5. Whitelist restrictions on oracle price feeding permissions.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Vee Finance

Vee Finance

A lending protocol platform on Avalanche that bridges the gap between traditional financial users and crypto users.