Logic error and lack of access control.
Days in Operation:
Whitehat Daniel Von Fange reported that EFLeverVault, linked to Earning.Farm, has been hacked for 750 ETH. 480 Ethers ended up in an MEV bot, while 268 Ethers were withdrawn by hackers.
The vision of Earning.Farm is to provide user-friendly investment tools for mass population to enjoy the innovation of DEFI.
The hack happened because the contract did not verify that flashloan callbacks where actually initiated by the protocol, allowing the attacker to tell the protocol to withdraw large amounts of funds. The EFLeverVault handles withdraws by making a flash loan to itself for that amount, when it receives the flash loan, it withdraws that amount of funds, and leaves it in eth on the contract. After the flash loan is over, the contracts sends all ETH on the contract to user. The attacker exploited this by making a tiny deposit, then a huge outside flashloan, causing the protocol to make a large withdraw to eth to itself. The attacker then withdrew their small amount of eth, and the protocol sent both the small and the large amount it had to them. Essentially the exploiter was able to directly invoke the Flashloan and designate EFLeverVault as the recipient, this bypasses Withdraw's limit on the amount of the Flashloan and allowing himself to be the recipient.
Funds were sent to Tornado.cash.
DISCLAIMER: While web3rekt has used the best efforts in aggregating and maintaining this database, this web site makes no representations or warranties with respect to the accuracy or completeness of its information and data herein, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose.
Under no circumstances, shall web3rekt be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the data and information derived from this database.