VEE.Finance Attack Analysis

Vee Finance
2 min readSep 21, 2021

--

VEE.Finance Attack Analysis

Yesterday afternoon we identified suspicious behavior, we did a thorough review on all the transactions after we paused the smart contracts for the security of the assets. Here are the details about the attack.

Attack Address: 0xeeeE458C3a5eaAfcFd68681D405FB55Ef80595BA

Attack Timeline

Attack preparation

1. Attacker got 0.1 AVAX airdrop when crossing the chain with the help of Avalanche Bridge.

https://cchain.explorer.avax.network/tx/0x15a7b29c11ee8c1705e3b7e555fc5f35d862e439f62271c9dcda942ea525685a/internal-transactions

2. Attacker traded 26.999006274904347875 WETH.e to 1,369.708 AVAX via Pangolin.

https://cchain.explorer.avax.network/tx/0x797544ebce8acd384c162ad20bed30caadd852ed0a5b71550ab2f37c186840bd

3. Attacker deployed attack contract 1 (0x255945a4f673851633355b2592f602025ca20142).

https://cchain.explorer.avax.network/tx/0x50a136886e45d018f84f194e49d47aaaa34e1bd5f2b51f2bdc42e4fd20999062

4. Attacker called the init() method of attack contract 1 to trade AVAX to the tokens being attacked(XAVA/QI/LINK.e, etc.).

https://cchain.explorer.avax.network/tx/0x031f388aabfa26df922603c377e002713c6315e2660b89e9eea0f0983fbe137c

5. Attacker called the init() method of attack contract 1 to create trading pair to be used for the attack.

QI/WETH.e

https://cchain.explorer.avax.network/tx/0x072c8cb4a3d71f833d9b22965993657fd2a38e599ed0bcaa37554b39ac0be1b0

XAVA//WETH.e

https://cchain.explorer.avax.network/tx/0x6a05f6825273ff5ab5a6af4c22b2ab080fcfb152c45ff157e06f0f407c23fb24

LINK.e/WETH.e

https://cchain.explorer.avax.network/tx/0xf588a524d94e2b763361ec00e909b6b9ea9771eaea6a0f8a9137b22f4eda9250

QI/LINK.e

https://cchain.explorer.avax.network/tx/0x3579b8e772883aa77c22332b36dd4498c1016fed51ae58638d525934a83a9a88

XAVA/LINK.e

https://cchain.explorer.avax.network/tx/0x018dea69171e5451918530b13f750c9e4e528d161bc040be6079a15a5d1e007f

XAVA/WBTC.e

https://cchain.explorer.avax.network/tx/0x302a831bb6658d105f3772624078cec5600367d38cff351adb8cd87e005f5ac8

LINK.e/WBTC.e

https://cchain.explorer.avax.network/tx/0xf37d07ea719c3bccc02a45f3c9e65a3ed4c436fdee192d5a53f5453ea109d9d1

6. Attacker transfered 20 AVAX to each of the 5 accounts of the attack contract 1.

To 0x799965bADB76Cae3055E8472c0dEdB9622Bb8d2E

https://cchain.explorer.avax.network/tx/0x7a634dbd62dd0400d42778a967f473f399549e8eee2ceedf60e5cad0db88c70d

To 0xea8D4B36b21D7a5Ea70989C5db4Ce6DC172E41CD

https://cchain.explorer.avax.network/tx/0x835ab2409c32641744837653bce87839d339452b1538316d9c855959f5344f2e

To 0x8EaF218176490b9E7933bc58b08a0B45647794Ce

https://cchain.explorer.avax.network/tx/0x9141261ca39b92b756136dc5afc10a83acaa05421a73dcaa93c43ceee1edb806

To 0x4b962FcdBdef0f2DAb10AaD1e16bC8373525a58d

https://cchain.explorer.avax.network/tx/0x30e4104ac85f28a4c21c1f46286a41905099bce8b239873ae1b1d34d84243a04

To 0xC7264ac43470abBcde972983636FD8B55E23D167

https://cchain.explorer.avax.network/tx/0x316e96f9830907b981fa77c7ba55207968c2041344f8bd8eedbfbd741af5fe1b

Attack execution phase

1. Attacker invoked the method of attack contract 1 to carry out the attack, but due to insufficient gas fee, the transaction was revoked.

https://cchain.explorer.avax.network/tx/0xc5b769e26fb0f384965c407a08d38e875a4aa1c39944176b426998dbb18da617

2. The first successful attack, dynamically created contract 0x4b4c4044207aa5da6b585fed9e8ffc04bb55d2df (dynamic contract 1), attacker invoked attack contract 1 to supply, then invoked leveraged trading through dynamic contract 1, exchanged QI with WETH.e.

https://cchain.explorer.avax.network/tx/0xc490b881f7434af48a1f39ca2d71064e93a1802b5853e3312e8800468dc83b81

3. After attacking XAVA/WETH.e in a similar way, the contract failed again.

https://cchain.explorer.avax.network/tx/0xa64a3c1d1b36b3a8695c2be8d8069af75efbf50706e2517d438d19becef927af

https://cchain.explorer.avax.network/tx/0x9db7688d5886a1f17e4bf730af3d7785487e4c4ef70856dd9ac21b32703e3b29

September 20, 2021 09:16:47 PM UTC

4. After rewriting the new attack contract, attacker deployed attack contract 2. (0x490D25A327768bD5E3d2bF98B8E10419B3E70B82).

https://cchain.explorer.avax.network/tx/0xfd2c5979d2857f385cc0b055a2a4320e0e63e389404fd9e12a169dbdb5b20ac0

September 20, 2021 09:31:31 PM UTC

5. Attacker repeated the above steps.

6. Attacker repeatedly used AugustusSwapper to trade USDT.e to ETH.e.

https://cchain.explorer.avax.network/tx/0x83821d9869467395583f1d42be15b5e0387e30634fcc2ac75d005ac190dc94dc

7. The attacker deployed another attack contract 3 on September 20, 2021 11:20:50 PM UTC (0xb040c4CdCF1B485F284795351211c832F2D4cd96).

https://cchain.explorer.avax.network/tx/0xb9581cb407c67db29a18ce9f056be69d05e0c47909c988a9fd0fe07589bf9709

8. During and after the attack, the attacker kept transferring assets to Ethereum via the Avalanche Bridge, for example,

https://cchain.explorer.avax.network/tx/0x84ec1d428149a73bebc4adcc8bc2906647e2ad4e43ceb8435e6ffeb9298a9bc0/token-transfers

We will keep you updated on this incident through our social media and community announcements.

Thanks.

--

--

Vee Finance
Vee Finance

Written by Vee Finance

A lending protocol platform on Avalanche that bridges the gap between traditional financial users and crypto users. https://vee.finance/home