Avalanche DeFi Project Vee Finance Loses Over $35 Million in Hack

A day after Vee Finance announced it had more than US$300 million total value locked on the protocol, it was hit by an attack draining an estimated US$35 million.

By September 21, a total of 8,804.7 ETH and 213.93 in bitcoin had been stolen by attackers. Vee Finance is a lending and borrowing protocol built on the Avalanche blockchain that offers both flexible and fixed returns on crypto deposits.

Since its launch on September 14, the platform boasted that the total value of assets locked surpassed US$300 million, drawing the eyes of potential attackers.

🚨https://t.co/OAPeeOaX4K Incident Announcement

The VEE Finance team has suspended the platform contracts to ensure the safety of more users’ assets, and has suspended the deposit and borrow function.

The Stable Coin section is not affected by the attackhttps://t.co/OBYC4EXCbs

— vee.finance🔺 (@VeeFinance) September 21, 2021

The perpetrators found an exploit in the process of creating an order for leveraged trading, where only the price of the Pangolin pool was used by the oracle as the source of price feed.

When price fluctuates more than 3 percent, the oracle needs to be refreshed, in this case opening a window for the attacker to manipulate the price of the Vee Finance oracle machine.

The attacker manipulated the number of Pangolin’s tokens to make Vee Finance’s oracle machine refresh the price. This directly caused the contract to obtain the wrong price from the oracle during the slippage check, which caused it to be bypassed. A detailed attack analysis can be found on Vee’s official Medium blog.

Only ETH and BTC Stolen

As this incident occurred in the pending contract, the assets on the Stable Coin sector were not affected by the attack. So far, USDT.e, USDC.e and DAI.e assets in the Stable Coin sector have not been attacked. All pending orders were suspended, meaning that no new pending orders could be created, and existing pending orders could not be executed.

The company said it had located the address that collated US$35 million worth of crypto and suspended it.

According to address monitoring, the attacker has not yet transferred, or processed, the attacked assets any further. We are actively dealing with it and have proactively communicated [with] the attacker on the chain.

Vee Finance

According to Vee Finance, “The company, whose partners include the Avalanche blockchain and Chainlink, a platform that creates DeFi applications, said it had contacted the hacker and was trying to negotiate a solution.”

The problem has been fixed in the meantime and the Pangolin.Exchange has not been affected and is still safe to use, stated the report. Vee Finance posted it had made the white hat bounty available to the hacker if the funds were returned.

2/2
2)We urge the attacker to contact us ASAP, so we can work out a plan, our $500K White Hat bounty offer is still valid.

— vee.finance🔺 (@VeeFinance) September 23, 2021

This is the second major hack on an Avalanche-based platform in a week. The first was on Zabu Finance, a DeFi protocol that supports peer-to-peer activity without a central player such as a bank or broker. Zabu revealed it had lost US$3.2 million to an attack on September 13, also resulting in a 99 percent price drop.