Vee Finance Latest Updates (Sept. 24）

VEE Finance

Since the VEE Finance team discovered the incident on September 20, we have made some progress from taking the following approach.

1. Locating the attacker and assets

After the incident, the VEE team immediately suspended the smart contracts for the security of the assets.

https://twitter.com/VeeFinance/status/1440102406499356675

And we updated progress with community users and medias.

https://twitter.com/VeeFinance/status/1440102406499356675

Moreover, VEE team tried to establish communication with the attack address.

https://twitter.com/VeeFinance/status/1440217570339016704

Worked with on-chain security auditing companies and DEXes to closely monitor the flow of funds.

https://twitter.com/VeeFinance/status/1440454315437486094

https://twitter.com/VeeFinance/status/1440810202463289352

Analyzed the details about the attack. https://twitter.com/VeeFinance/status/1440314040991969290

Put out a 500,000 USD worth bounty for the person or team who can track down the attacker. https://twitter.com/VeeFinance/status/1440911549250539521

2. Reviewing the event

Several security agencies have commented on the incident and provided their descriptions.

VEE.Finance Attack Analysis

After we identified suspicious behavior, we did a thorough review on all the transactions after we paused the smart contracts for the security of the assets. Here are the details about the attack.

https://veefi.medium.com/vee-finance-attack-analysis-a4839724e085

SlowMist: The Main Cause of Vee Finance Attack

The main cause of the accident was that in the process of creating an order for leveraged trading, only the price of the Pangolin pool was used by the oracle as the source of price feed, and the pool price fluctuated more than 3%. The oracle refreshed the price, causing the attacker to manipulate the price of the Pangolin pool. Manipulating the price of the Vee Finance oracle machine and the acquisition of the oracle machine price were not processed for decimals, resulting in the expected slippage check before the swap did not work.

https://slowmist.medium.com/the-main-cause-of-vee-finance-attack-52fc8e5fb13d

3. Fixing Vulnerability

To protect the safety of users’assets, we immediately suspended all operation contracts.

Stable Coin Sector, the security of funds is not affected by the attack

The following functions are available

withdraw(if enough liquidity)

repay

The following functions are not available:

Borrow

Supply

Crypto Sector, funds are affected by the attack

The following functions are available

withdraw (if enough liquidity)

repay

The following functions are not available:

Supply

Borrow

Trade: All pending orders are suspended (no new pending orders can be created, existing pending orders cannot be executed)

We will publish the platform restart plan as well as the compensation plan to our users within the next 48 hours through our social media and community announcements.

Thanks.

VEE Finance Team