Verichains Weekly Security Digest | April 2023 Week 3
In this week’s digest, Verichains will discuss our recent audit of OpenEden Vault Smart Contract, an interesting use case for DeFi backed by regulated traditional assets. In last week's incident news, the total hacked amount was $11.5 million.
Securing DeFi Use Case For Institutional Investment
OpenEden Vault smart contracts were successfully audited by Verichains. OpenEden novel approach to DeFi is to be the first contract vault managed by a regulated entity to offer investors direct access to US Treasury Bills.
Unlike retail investors, institutions often invest and trade with significant sums of money while needing to comply with existing regulations. Before the recent collapse of a number of prominent crypto banks and exchanges, these institutions were risking compliance, by directly trading through unregulated means or vehicles.
In the wake of their collapses, the demand from institutions for crypto and DeFi remains bullish and created a new market opportunity for projects like OpenEden to fulfill this demand.
From our security audit, Verichains can verify that OpenEden Vault is secure with no high or critical vulnerabilities and we wish OpenEden success in the upcoming public launch.
Read OpenEden’s public audit report here:
https://github.com/verichains/public-audit-reports/blob/main/Verichains%20Public%20Audit%20Report%20-%20OpenEden%20Vault%20-%20v1.1.pdf
Last Week’s Incidents
🚨Project: Hundred Finance
⛓️Chain: Optimism
💥Type: FlashLoan Exchange Rate Manipulation & ERC4626 Inflation Attack
💸Loss amount: $7 million
Hundred Finance was the latest victim of a flashloan attack closing around $7 million. The hacker gave 200 WBTC to Hundred Finance and got 200 hWBTC tokens. They then deposited 500 WBTC which caused the price of hWBTC to rise by 250 times. This allowed the hacker to use hWBTC as collateral to borrow funds from other markets and drain current lending pools. At the time of writing, Hundred Finance had failed to make contact with the hacker through on-chain messages and had issued a $500,000 bounty for any information leading to their arrest and return of all funds.
https://twitter.com/HundredFinance/status/1648752607563771905?s=20
🚨Project: Yearn Finance ⛓️Chain: Ethereum
💥Type: Misconfiguration
💸Loss amount: $3 million
A DeFi platform called Yearn Finance was hacked for $3 million due to a bug in the iearn USDT token (yUSDT) contract that allowed a hacker to exploit multiple Curve pools and drain them, resulting in a loss for liquidity providers who deposited their LP tokens into downstream protocols. The bug persisted in several versions of the contract and has been present since its deployment over 1000 days ago. The hacker used a $12 million flashloan from Balancer to gain over $3 million by minting a massive amount of yUSDT and swapping it for other stablecoins. The vulnerability was caused by a misconfigured yUSDT contract. Yearn v2 Vaults remain unaffected and the team is investigating further.
🚨Project: MetaPoint
⛓️Chain: BSC
💥Type: Access Control
💸Loss amount: $920,000
MetaPoint ($POT) on the Binance Smart Chain (BSC) was hacked, resulting in a loss of $920K. The cause of the hack was a vulnerability in the contract that is created when users use the deposit function. The contract had a function called "approve," which allowed unrestricted access to $META tokens by the caller. The hacker exploited this vulnerability by creating attack contracts to call the function in bulk and approve the maximum value. To prevent further losses, the project has now locked the contract. On an interesting note, @YannickCrypto was able to leverage ChatGPT in the recovery of 36,800 $POT.
https://twitter.com/YannickCrypto/status/1645925807724929024?s=20
🚨Project: SwaposV2Pair ⛓️Chain: Ethereum 💥Type: Misconfiguration 💸Loss amount: ~$467,000
Approximately $467,000 was hacked from a recently deployed SwaposV2Pair contract on the Ethereum blockchain due to a misconfiguration error in its k-value, allowing the attacker to withdraw all funds from the contract pair.