QI Quadriga Initiative

Nov 2021 - Vesper Finance Oracle Attack - $3.37m (Global)

"DeFi, Simplified. Choose your pool, deposit your crypto, and let Vesper put DeFi to work for you."

"Vesper provides a platform for easy-to-use Decentralized Finance (DeFi) products." "At launch, Vesper offers a variety of interest-yielding "Grow Pools" that enable users to passively increase their crypto holdings by simply selecting the desired aggressiveness of their strategy and the digital asset held. The Vesper Grow Pools represent the first product on the Vesper platform. More will be developed and presented over time."

"VSP incentivizes participation, facilitates governance, and catalyzes user contribution. Users earn VSP through pool participation and, later, participating in Vesper's continuous improvement." "Vesper is building a user community that sustains and grows the product portfolio, facilitates progressive decentralization, and enables users to build new products while earning a share of that product's fees."

"Vesper's DeFi products deliver ease-of-use in achieving your crypto-finance objectives. The Vesper token (VSP) is the core economic engine that facilitates the building and expansion of Vesper’s capabilities and its community."

"The primary risk faced by Vesper pools is a 'black swan' event, where a pool's underlying asset sees a rapid flash crash. In extreme cases, the debtor will not be able to modify their loan fast enough to avoid liquidation. This is a broader risk that affects DeFi lending protocols as a whole." "In the worst case scenario, a partial liquidation is enforced by the lending protocol. For example, Maker currently carries a 13% fee on the capital liquidated. This would reflect a loss to pool participants." "This risk is further mitigated by the stablecoin offerings. There is no 'volatility' risk with stablecoins apart from the doomsday scenario in which they lose their peg. Such an event would be wholly unrelated to the Vesper ecosystem."

"All Vesper strategies went through two rounds of independent audits. All further contracts, both team and community developed, will additionally go through auditing before they are pushed to Mainnet. More information about Vesper audits can be found in our Gitbook." "All Vesper Holding pools are assigned a “risk factor” that reflects the number and complexity of contract interactions, collateralization rates, and security of protocols interacted with. Qualitatively, each pool’s risk factor is scored as “Conservative” or “Aggressive.”"

"Initially, the total supply of VSP is 10 million. The mint function is timelocked for 12 months. This protects from any drastic tokenomic changes until the token has adequately circulated and governance is 100% community owned. Token holders alone will make these decisions for themselves. Learn more about the timelock and other Vesper features." "Vesper’s governance is an progressive process that ultimately transfers 100% ownership and control to VSP holders. Recognizing shortcomings of “Day-1-DAOs” before Vesper, this strategy reserves appropriate controls to the team until the community and token has matured and is prepared to govern itself. Read more about Vesper governance principles and timeline." "Both VUSD and pool #23 are beta."

"Vesper Finance suffered an oracle manipulation attack." "2021-11-02-1400ET -- At about 2:00 p.m. UTC, an attacker created a Uniswap LP position on VUSD. As VUSD is a low-liquidity token (a stablecoin project in beta), the attacker was able to manipulate the price outside of its price band."

"An attacker created a Uniswap LP position on VUSD. As VUSD is a low-liquidity token, the attacker was able to manipulate and raise the VUSD price. This enabled it to come to the Rari Fuse pool #23 (“Vesper Lend Beta”) with inflated collateral, which was used to borrow all of the tokens from that pool."

"All tokens in that pool were then swapped for ETH, netting the attacker over $3 million."

"As a first step, the attacker got 100 ETH from tornado.cash, so as to ensure privacy. They then swapped 58 ETH for USDC. Using this USDC, they purchased all available VUSD on Uniswap v3 0.05% fee tier, pushing that market out-of-range. They then created a new LP position of 0.1 USDC marked at a price of trillions of VUSD per USDC. The Uniswap v3 oracle therefore reported a price in the trillions for the 0.05% fee range. The Rari lending market received the VUSD price using the price feed from the Uniswap v3 oracle and valued VUSD collateral at a price of “infinity.” The attacker provided the purchased VUSD as collateral to Vesper Lend, which essentially gave them “infinite” collateral to borrow all available assets. The attacker used the VUSD collateral to borrow roughly 3.5 million in miscellaneous assets. 735 ETH accrued."

"As of this evening U.S. time, here’s how the aftermath of the exploit looks like for different users:"

"Vesper Lend beta (Rari Fuse Pool #23): Users will see a higher APY across all tokens because of the debt taken on by the exploiter. However, vVSP holders will not be able to withdraw until more liquidity becomes available. For those who do want to withdraw, this will open up over the next few weeks — liquidity will slowly open up as the narrow channel of supply widens to meet the flow of demand."

"Vesper Grow (Aggressive): Funds are SAFU. Aggressive pools used Rari Fuse Pool #23 partially as a yield source. Users will also see a slightly higher APY here."

"Vesper Earn (Beta): Funds are SAFU. Similarly, users will see a slight APY bump. Vesper Earn uses the Vesper Aggressive DAI Pool as a yield source, which in turn used Rari Fuse Pool #23."

"Vesper Grow (Conservative): Funds are SAFU. These users are not affected, as no Conservative Grow pools used Rari Fuse Pool #23 as a yield source."

"VUSD Holders: Funds are SAFU. VUSD price was manipulated upward, but the collateral system remains solvent."

"As soon as the community and VBC team became aware of the issue, it [c]oordinated with Rari Capital, Yearn, and Uniswap to assess the situation and determine solutions, [p]aused borrowing of VUSD and vVSP on #23, [s]et VUSD’s collateral factor to “zero.”, [and p]aused all other activity to focus on addressing this exploit." "The team is continuing to investigate the full impact of this exploit, working closely with Rari, Yearn, and Uniswap."

"The VBC and Rari teams continue to work together to assess any users who were liquidated due to the price manipulation attack. Now that VUSD price is restored, the next step is turning liquidations back on, and getting the attacker off the platform. Then the market will be ok and safe to use again (still at beta risk level)."

"It is our hope that we can make everybody whole, but we cannot make this promise, until we have done a full and complete accounting, which may stretch into early next week. Some VVSP liquidity has already returned — You’re getting a great APY right now! — which means that others can start to withdraw their VVSP."

Further Analysis

Vesper Finance offers a number of liquidity protocols, targeted to be simpler for newer users to the DeFi space. All their offerings are audited. One of their newer liquidity pools (in beta) had an oracle vulnerability in the smart contract hot wallet, which was exploited. The attacker used tornado cash and was able to make off with the funds. After initially shutting down the smart contract, the contract was later brought back online. It's unclear if affected users were fully compensated, though the team stated their intention to make everything right.

How Could This Have Been Prevented?

It's unclear what level of auditing was performed on the smart contract in question. We recommend at least two independent audits. In order to fully protect losses, the majority of funds should be stored offline in multi-signature wallets held by trained and reputable individuals, with the remaining "hot" funds protected by a self-insurance treasury, comprehensive smart contract insurance, and/or an industry insurance fund. In this way, investors are fully protected.

More Cryptocurrency Exchange Hacks/Scams/Frauds

Robinhood Massive Data Breached > > < < Squid Game Token Scam

Sources/Further Reading

https://blog.insurace.io/security-incidents-in-november-e4bcb39dd7f9 (Feb 1)
On The Vesper Lend Beta Rari Fuse Pool 23 Exploit (Feb 6)
https://etherscan.io/tx/0x89d0ae4dc1743598a540c4e33917efdce24338723b0fabf34813b79cb0ecf4c5 (Feb 7)
Introduction - Vesper Documentation (Feb 7)
Discussion of Risk - Vesper Documentation (Feb 7)
https://vesper.finance/security/ (Feb 7)
@VesperFi Twitter (Feb 7)
https://etherscan.io/tx/0x8527fea51233974a431c92c4d3c58dee118b05a3140a04e0f95147df9faf8092 (Feb 7)
https://etherscan.io/address/0xa3f447feb0b2bddc50a44ccd6f412a5f98619264 (Feb 7)
https://coinmarketcap.com/currencies/ethereum/historical-data/ (Dec 21)
https://m.facebook.com/hackposts/posts/116761580474021 (Feb 12)
@VesperFi Twitter (Feb 12)


Join Us!

Name: Email:

t.me/QuadrigaInitiative /r/QuadrigaInitiative @QuadrigaInit info@quadrigainitiative.com

Sign-Ups: 92.1%

Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected User. For questions or enquiries, email info@quadrigainitiative.com.