Avalanche DeFi Project Vee Finance Loses Over $35 Million in Hack

September 24, 2021, 10:00 AM AEST - 3 weeks ago

A day after Vee Finance announced it had more than US$300 million total value locked on the protocol, it was hit by an attack draining an estimated US$35 million.

By September 21, a total of 8,804.7 ETH and 213.93 in bitcoin had been stolen by attackers. Vee Finance is a lending and borrowing protocol built on the Avalanche blockchain that offers both flexible and fixed returns on crypto deposits.

Since its launch on September 14, the platform boasted that the total value of assets locked surpassed US$300 million, drawing the eyes of potential attackers.

The perpetrators found an exploit in the process of creating an order for leveraged trading, where only the price of the Pangolin pool was used by the oracle as the source of price feed.

When price fluctuates more than 3 percent, the oracle needs to be refreshed, in this case opening a window for the attacker to manipulate the price of the Vee Finance oracle machine.

The attacker manipulated the number of Pangolin’s tokens to make Vee Finance’s oracle machine refresh the price. This directly caused the contract to obtain the wrong price from the oracle during the slippage check, which caused it to be bypassed. A detailed attack analysis can be found on Vee’s official Medium blog.

Only ETH and BTC Stolen

As this incident occurred in the pending contract, the assets on the Stable Coin sector were not affected by the attack. So far, USDT.e, USDC.e and DAI.e assets in the Stable Coin sector have not been attacked. All pending orders were suspended, meaning that no new pending orders could be created, and existing pending orders could not be executed.

The company said it had located the address that collated US$35 million worth of crypto and suspended it.

According to address monitoring, the attacker has not yet transferred, or processed, the attacked assets any further. We are actively dealing with it and have proactively communicated [with] the attacker on the chain.

Vee Finance

According to Vee Finance, “The company, whose partners include the Avalanche blockchain and Chainlink, a platform that creates DeFi applications, said it had contacted the hacker and was trying to negotiate a solution.”

The problem has been fixed in the meantime and the Pangolin.Exchange has not been affected and is still safe to use, stated the report. Vee Finance posted it had made the white hat bounty available to the hacker if the funds were returned.

This is the second major hack on an Avalanche-based platform in a week. The first was on Zabu Finance, a DeFi protocol that supports peer-to-peer activity without a central player such as a bank or broker. Zabu revealed it had lost US$3.2 million to an attack on September 13, also resulting in a 99 percent price drop.

Disclaimer: The content and views expressed in the articles are those of the original authors own and are not necessarily the views of Crypto News. We do actively check all our content for accuracy to help protect our readers. This article content and links to external third-parties is included for information and entertainment purposes. It is not financial advice. Please do your own research before participating.