link.png

ID:

earning-farm-1216

Date:

Status:

Incident Count:

October 14, 2022

Verified

1

info.png
target.png
REKT

Contributor:

chain.png

web3rekt.com

KYC By:

KYC:

None

info.png

Audit By:

Audits:

SlowMist, PeckShield

Loss Amount:

989,250

info.png

Recovered:

-

Rewards:

Ticker:

USD, EF_LEV

info.png

Whitehat Daniel Von Fange reported that EFLeverVault, linked to Earning.Farm, has been hacked for 750 ETH. 480 Ethers ended up in an MEV bot, while 268 Ethers were withdrawn by hackers.

The vision of Earning.Farm is to provide user-friendly investment tools for mass population to enjoy the innovation of DEFI.

The hack happened because the contract did not verify that flashloan callbacks where actually initiated by the protocol, allowing the attacker to tell the protocol to withdraw large amounts of funds. The EFLeverVault handles withdraws by making a flash loan to itself for that amount, when it receives the flash loan, it withdraws that amount of funds, and leaves it in eth on the contract. After the flash loan is over, the contracts sends all ETH on the contract to user. The attacker exploited this by making a tiny deposit, then a huge outside flashloan, causing the protocol to make a large withdraw to eth to itself. The attacker then withdrew their small amount of eth, and the protocol sent both the small and the large amount it had to them. Essentially the exploiter was able to directly invoke the Flashloan and designate EFLeverVault as the recipient, this bypasses Withdraw's limit on the amount of the Flashloan and allowing himself to be the recipient.

Funds were sent to Tornado.cash.

info.png

DISCLAIMER: While web3rekt has used the best efforts in aggregating and maintaining this database, this web site makes no representations or warranties with respect to the accuracy or completeness of its information and data herein, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose. 

Under no circumstances, shall web3rekt be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the data and information derived from this database.