How Eleven.Finance got hacked?

How Eleven.Finance got hacked?

Eleven.finance, a yield aggregator on BSC and Polygon, was exploited for a total of $4.5M. Binance Smart Chain protocols don’t have an easy year will all of the recent hacks in last months happened on that chain. I won’t rant about BSC. I did that already in my previous articles. Let’s dive into the exploit.

The hack

The exploit was possible due to a bug in emergencyBurn() function of ElevenNeverSellVault. There is a transfer of previously deposited funds during the function execution, but there is a lack of burning of Nerve shares to account for the transfer.

In other words, an attacker could double-spend Nerve shares he acquired during deposit to the vault by withdrawing all LP tokens he initially deposited and withdrawing the same amount by burning Nerve shares in a call to withdrawAll() function.

There were 3 affected vaults, nrvBTC, nrvETH, nrvFUSDT.

Let’s see step by step what happened. Following analysis is done solely on nrvBTC vault but other vaults were drained in the same fashion.

Transaction in question

  1. FlashSwap from PancakeSwap with 30.910261929777403502 BTCB
  2. Convert amount to nrvBTC asset (30.836)
  3. Deposit nrvBTC to “MasterMind” through ElevenNeverSellVault’s depositAll() function on nrvBTC vault and receiving 30.836 11NRV token shares
  4. Call emergencyBurn() through ElevenNeverSellVault nrvBTC vault to recover the initial 30.836 nrvBTC. At this point, the 30.836 11NRV token shares aren’t burned, and we can double-spend them.
  5. Call withdrawAll() through ElevenNeverSellVault using unspent 30.836 11NRV token shares we still have from the previous step. This time, 11NRV Tokens will be burned, and we get an additional 30.836 nrvBTC in addition to the initial ones we have.
  6. Remove liquidity of all 61.673 nrvBTC and get 61.754288382343941084 in BTCB in return
  7. Repay FlashSwap
  8. Transfer the rest to the attacker account.

I used the tool tenderly.co to help me analyze the attacks. If you want to check how it differs from traditional etherscan, give it a go.

I can also recommend reading other overviews of the attack.

Rekt - Eleven Finance - REKT
DeFi / Crypto - This one almost struck a nerve. Eleven.finance, a yield aggregator on Binance Smart Chain (BSC) and Polygon (MATIC) was exploited for a total of $4.5M.


and

Eleven Finance Incident: Root Cause Analysis
Started at June-22–2021 22:58:39 +UTC, Eleven Finance was exploited to drain a number of vaults at the loss about $4.6 million. The…

Thanks for reading, and if you like my writing, you can subscribe to my blog to receive the daily newsletter as I’m currently in the middle of 100 days of blogging challenge. Subscription box below 👇

If the newsletter is not your thing, check out my Twitter @adrianhetman, where I post and share exciting news from the Blockchain world and security.

See you tomorrow!