SolidityScan
HACK ANALYSIS 2 min read

vETH Token Hack Analysis

vETH Token Hack Analysis

Overview:

On November 14, 2024, vETH token was exploited due to a business logic error, resulting in an estimated loss of 450K USD.

Smart Contract Hack Overview:

Attacker address: 0x713d2b

Vulnerable contract: 0x280a89

Attack Transaction: 0x900891

Fig:Attack Transaction

Decoding the Smart Contract Vulnerability:

  • The vETH token contract contains a takeLoan function that can only be called by an authorized factory contract.
  • The Factory contract has a function that adds liquidity to the Uniswap vETH-BIF pair by borrowing vETH via the takeLoan function and using the user’s BIF tokens.
Fig: The root cause of the vulnerability
  • This liquidity-adding function modifies the state of the liquidity pool, increasing the x * y = k constant in the Uniswap pair.
  • The hacker exploited this process, manipulating the pool state to acquire vETH without proper cost.

Mitigation and Best Practices:

  • Enhance access controls on the takeLoan function by verifying transaction parameters and implementing additional validation layers, such as time-locked approvals or dynamic checks for authorized factory interactions.
  • Implement robust validation in the Factory contract to monitor and revert transactions that cause unexpected changes to the x * y = k constant or allow excessive manipulation of pool state
  • Always validate your code by writing comprehensive test cases that cover all the possible business logic.
  • To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at CredShields provide smart contract security and end-to-end security of web applications and externally exposed networks. Our public audit reports can be found on https://github.com/Credshields/audit-reports . Schedule a call at https://credshields.com/
  • Scan your Solidity contracts against the latest common security vulnerabilities with 225+ detections at SolidityScan.
Fig: SolidityScan — Smart Contract Vulnerability Scanner

Conclusion:

SolidityScan is an advanced smart contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup

Follow us on our Social Media for Web3 security-related updates.
SolidityScan — LinkedIn | Twitter | Telegram | Discord

MorphoBlue Hack Analysis
Polter Finance Hack Analysis