$4 800 000 USD
DESCRIPTION OF EVENTS
"Eleven Finance is a platform empowering high APY vaults in the Binance Smart Chain ecosystem. Our platform with a focus on being fast moving and community will offer a dynamic and broad range of vaults to provide our users with optimised yield strategies."
"As the Decentralised Finance (defi) world grows, the search for the best yield grows with it." "Our vaults will initially utilise liquidity provider tokens from the ecosystems most popular exchange, Pancakeswap.finance. As further opportunities for yield present themselves in the BSC ecosystem our vaults will adapt to take advantage of these. Users staking these tokens in our vaults will be able to take advantage of our yield optimisation strategies and enjoy fantastic returns."
Their "lending bank was audited by Solidity Finance", however that's a different smart contract.
"On June 22, 2021 Eleven Finance withdrawal logic vulnerability was exploited which resulted in the theft of $4.5M."
A "malicious exploiter found a way to abuse one small subset of vaults and successfully drained all their funds." "Upon analysis the cause of the exploit was developer oversight. The emergencyBurn() function not burning shares allowed the attacker to execute this attack." "A hacker exploited the logic error in the "emergencyBurn()" function in the "ElevenNeverSellVault" contract. The error allows the attacker to withdraw more Nerve tokens from the contract than it supposes to, and the attacker enlarges the profit with the assist of flash loans."
"This has resulted in a 100% loss of funds from these vaults, totalling around $4.5 million USD." "[A]pproximately $4.8M in deposited funds were stolen, which accounted for approximately 4% of TVL at the time of the exploit. Drained vaults were nrvBTC, nrvETH, 3nrv, nrvUST, nrvfUSDT, and bfUSD."
"Bigfoot.eleven.finance has been taken down to ensure lenders won’t lend more funds to bfUSD, that bank with uses an affected NRV vault. We are researching the potential to recover some number of funds from here."
"After a few days of hard work and an extremely complex process of pausing/unpausing contracts, liquidating all positions and intercepting the funds before anyone could drain them again, we managed to recover them all." "In short, everyone recovered their leveraged farming position with 0% liquidation fee and we intercepted all borrowed funds for a total of extra $260,000."
"We have been collaborating and exchanging information with ImpossibleFin, Peckshield and others in the space. They have been doing an amazing job, we can’t comment too much on the specifics but can say their are potential suspects and ongoing local police reports and legal prosecution underway in order to recover as many funds as possible."
"To date, all team profits have been aggressively reinvested in: salaries, development, high profile audits and partnerships. Because of this, team funds were running low when everything happened." "[E]ven with our limited resources, we want to try and achieve full compensation while still achieving our ambitious goals. After a lot of internal debating on best solutions we think we have found the most optimal plan moving forward."
"The majority of exploited funds were in USD, so we will snapshot the value at the time of exploit and consider the exploited funds as USD for everyone." "We are going to refund 25% instantly to everyone affected in the exploit ($1.2M). We don’t have these funds, and to achieve this, the team will contract personal debt from a kind investor who is willing to lend out funds to make it possible." "For that, since there is $512K in the Compensation Fund already, we need to invest $688K to make it $1.2M in total. This funds will be paid directly from platform fees and team allocations."
"We as a team take full responsibility for the exploit and funds lost." "Given our limited resources, we had to be as creative as possible." "If we reach all our future plans (more on that later), we estimate team should recover debt in less than 3 months. For obvious reasons, a minimal emergency fund for developing and securing the platform will be still held in treasury." "Eleven needs to keep growing with a sustainable ecosystem and keep delivering its roadmap. Only then, the impact of recovering funds will be small enough for the protocol to absorb it successfully."
"A “Recovery Vault” (RV) will be created. It will be a storage vault that keeps accumulating ELE from different sources constantly until compensation is fully reached. 3.6M of “11RV” tokens will be minted. The quantity of tokens represent the value of the $3.6M funds to be recovered. 11RV is a fully compliant ERC-20 token (more on this below). All 11RV tokens will be staked in the vault and then distributed to every affected user proportionally to how much they had at the exact moment of the exploit. It will be easy on Recovery Vault UI to track the current value of your 11RV token. The final goal is that one 11RV = $1. Everyone is free to withdraw their staked tokens whenever they want. User who exits will burn all his 11RV and receive his proportional share of the current total compensation funds." "[S]ince 11RV is a fully compliant ERC-20 token, it can be traded and exchanged."
"From now on, every new strategy we create, will be instantly sent for auditing before its released. Also, if a strategy doesn’t improve too much by adding overly complicated features, it shouldn’t be worth it. Less is more in this case." Since the exploint, Eleven Finance requested and obtained an audit from CertiK.
"Some of the funds were returned after an unknown action by BSC team." "[T]he guy who exploited consecutively Impossible Finance and Eleven Finance sent back what he took." "Surprisingly, 48 hours after the exploit, 849.2 BNB was sent back to original Eleven deployer address by a self-proclaimed whitehat hacker. This deployer address was not the current one but we quickly moved the funds to the new one to secure the funds. Whoever was involved in this, we are thankful as for a project of our dimensions every little bit helps."
An Eleven Finance smart contract which had not been audited had an exploit.
An attacker used this error to withdraw more funds than they should have been able to, and drain liquidity pools.
They later returned the funds.
HOW COULD THIS HAVE BEEN PREVENTED?
Funds were stored online (in a smart contract hot wallet) and there was no oversight/validation on withdrawals. The team did not have any funds available to handle this situation.
CertiK Blockchain Security Leaderboard (Jun 1)
No Title (Jul 24)
Eleven Finance Incident Root Cause Analysis (Jul 24)
Rekt - Eleven Finance - REKT (Jul 24)
@johndoughbull Twitter (Jul 24)
blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 11)
Analysis of the lightning loan attack on the machine gun pool related to Nerve in Eleven Finance | by Knownsec Blockchain Lab | Medium (Aug 11)
Vault ELEVEN.FINANCE (Aug 14)
CertiK Security Leaderboard - Eleven Finance (Aug 14)
Introduction - Eleven Finance (Aug 15)
Eleven Finance Nrv Vault Exploit And Loss Of Funds A Post Mortem (Aug 15)
Eleven Finance Recovery Plan (Aug 15)
Binance Transaction Hash (Txhash) Details | BscScan (Aug 15)
Eleven Finance price today, ELE live marketcap, chart, and info | CoinMarketCap (Aug 15)