Another classic lightning loan arbitrage: Wault.Finance hacked event analysis

At 10:23 AM on August 04, 2021, the SlowMist Intelligence System captured the suspected hacked intelligence of Wault.Finance ‘s WUSDMaster contract. The SlowMist security team immediately intervened in the analysis. The following is the detailed content of the analysis.

Event related party information

Attacker address: 0x886358f9296de461d12e791bc9ef6f5a03410c64

Attacker’s contract address A: 0xaa895873a268a387e38bd841c51d2804071197a1

Attacker’s contract address B: 0x50afa9383ea476bdf626d6fba62afd0b01c8fea1

Attacked project: https://app.wault.finance/bsc/#wusd

Address of the attacked project: 0xa79fe386b88fbee6e492eeb76ec48517d1ec759a (WUSDMaster contract of Wault.Finance)

Event related party background

Attacker: The hacker created the attack contract address A and launched the attack in the contract’s constructor.

Attacked project: WUSDMaster is a contract that pledges BSC_USDT in exchange for WUSD. WUSD can be obtained by staking BSC_USDT, and WUSD is burned through redeem, and then replaced with BSC_USDT. During this process, part of the funds will be transferred to the vault. (Treasury), WUSDMaster will use WEX to subsidize users.

The core point of the attack

In the stake function of the WUSDMaster contract, BSC_USDT and WUSD will be exchanged 1:1 when staking, but it also performed a swap operation. It is precisely because of this swap operation that it can be used by hackers for arbitrage.

The core problem : while allowing the amount to be exchanged for BSC_USDT and WUSD 1:1, the swap operation of WUSDMaster will additionally cause the tokens in the WaultSwapPair (BSC_USDT-WEX) pool to be unbalanced, thereby forming an arbitrage space.

Note: BSC_USDT and WUSD can also be understood as the price is also 1:1

Anatomy of the attack

Attacked transaction Txid

0x31262f15a5b82999bf8d9d0f7e58dcb1656108e6031a2797b612216a95e1670e

Attacked contract address

0xaa895873a268a387e38bd841c51d2804071197a1

Attacker address

0x886358f9296de461d12e791bc9ef6f5a03410c64

The address of the attacked project

0xa79fe386b88fbee6e492eeb76ec48517d1ec759a (WUSDMaster contract of wault.finance)

We can divide this process into 3 stages: preparing arbitrage funds, constructing arbitrage space, and implementing arbitrage .

The first stage: obtaining initial attack funds through flash loans

1. Borrow 16,839,004 WUSD through lightning loan in WaultSwapPair (BSC_BUSD-WUSD);

2. Call the redeem function in the WUSDMaster contract to burn the WUSD borrowed by the flash loan and replace it with BSC_USDT and WEX;

3. Go to PancakePair (WBNB-BSC_USDT) and borrow 40,000,000 BSC_USDT through lightning loan;

4. Replace the 23,000,000 BSC_USDT borrowed with WEX in WaultSwapPair (BSC_USDT-WEX). At this point the attacker is ready for arbitrage.

Number of WEX: 624,440,724 = 106,502,606 + 517,938,118

The source of WEX: redeem operation + WaultSwapPair (BSC_USDT-WEX) exchange income

The second stage: Make the BSC_USDT-WEX pool unbalanced to form arbitrage space

1. Call the stake function in the WUSDMaster contract many times (68 times);

2. The stake function will execute wswapRouter.swapExactTokensForTokensSupportingFeeOnTransferTokens to replace part of the pledged BSC_USDT with WEX, which will reduce the number of WEX in the WaultSwapPair (BSC_USDT-WEX) pool and increase the value;

3. After multiple stakes in the BSC_USDT-WEX pool, the number of BSC_USDT is large, and the number of WEX is small, forming an arbitrage space;

4. And every time the attacker calls stake, he will exchange BSC_USDT for WUSD at a 1:1 exchange rate, so the attacker will additionally unbalance the BSC_USDT-WEX pool when the exchange in this step can be lossless.

The third stage: arbitrage and repay the flash loan

1. The attacker exchanges the WEX prepared in the first stage in the unbalanced BSC_USDT-WEX pool, and can exchange for more BSC_USDT;

624,440,724 WEX => 25,930,747 BSC_USDT

2. The attacker replaced the WUSD obtained by calling the stake function multiple times (68 times) into BSC_BUSD through WaultSwapPair (BSC_BUSD-WUSD) after repaying the lightning loan, and the remaining 110,326 WUSD;

110,326 WUSD => 109,284 BSC_BUSD

3. Replace the obtained BSC_USDT and BSC_BUSD with BEP_ETH after paying off the flash loan.

MistTrack analysis process

The SlowMist AML team analyzed and calculated that the attacker finally made a profit of 370 BEP_ETH and transferred funds through Anyswap, resulting in a loss of approximately US$930,000.

Capital flow analysis

The analysis of the SlowMist AML team found that the wallet addresses related to the attackers are as follows:

Attacker’s address:

0x886358f9296De461d12e791BC9Ef6F5a03410C64

The analysis of the MistTrack anti-money laundering tracking system of SlowMist AML found that the attacker first withdrew coins from Binance, obtained initial funds, and then deployed the contract.

Through three operations, the attacker converts ETH to anyETH, and then cross-chain the obtained ETH to the Ethereum address through the cross-chain platform:

0x886358f9296De461d12e791BC9Ef6F5a03410C64。

It is worth noting that :

1. Ethereum address after cross-chain:

0x886358f9296De461d12e791BC9Ef6F5a03410C64 A transaction was transferred to Binance.

2. The initial transaction of the attacker’s profitable address was 100 ETH transferred from the currency mixing platform Tornado.Cash.

Event combing (UTC)

-1:25:07 The attacker withdraws 100 ETH from Tornado Cash

-1:27:09 Attacker deposits 1 ETH to Binance

-1:35:24 Attacker withdraws 2 BNB from Binance to BSC

-1:35:27 The attacker withdrew 0.72213159 Binance-Peg ETH from Binance to BSC 

-1:43:52-1:49:05 The attacker deploys a contract on the BSC to attack

So far, the attacker’s profitable address

0x886358f9296De461d12e791BC9Ef6F5a03410C64 The total balance is 468.99 ETH.

Summarize

This attack is a classic case of using lightning loans for arbitrage. Attackers can conduct arbitrage attacks on the WaultSwapPair (BSC_USDT-WEX) pool due to design flaws in the economic model. At the beginning of development, the project party should also pay attention to the attack surface brought by the design of the economic model. It is recommended that a third-party professional team or expert deduct the attack surface of the project in various DeFi scenarios, and investigate the possible attack surface. Optimizing and strengthening the project in terms of economic model and architecture design.

The SlowMist security team has added the attacker’s address to the AML system for monitoring, and used the linkage capabilities of the AML system to block the attacker’s funds as much as possible.

Reference attack transaction:

https://bscscan.com/tx/0x31262f15a5b82999bf8d9d0f7e58dcb1656108e6031a2797b612216a95e1670e