link.png

ID:

enzyme-finance-1118

Date:

Status:

Incident Count:

November 17, 2021

Near-Miss

1

info.png
target.png
REKT

Contributor:

chain.png

web3rekt.com

KYC By:

KYC:

None

info.png

Audit By:

Audits:

Chainsecurity

Loss Amount:

-

info.png

Recovered:

-

Rewards:

90,000

Currency:

USD

info.png

Key Indicators

Platform:

Type:

Category:

Method:

Data Sources:

Ethereum

Dapp

Dexes

Near-Miss

Extended Method:

No permission checks defined to endpoints

info.png

Days in Operation:

730

(2.00 Years)

chain.png
chain.png
chain.png
chain.png
datasource.png

Enzyme Finance is an Ethereum-based protocol for decentralized on-chain asset management. It allows users and investors to create and invest in various funds. A fund owner configures the rules of their fund: fees and policies, the denomination asset by which share price and performance are measured, the time-lock between shares actions (buying or redeeming shares) for a given user, etc.

Whitehat setuid0 of SSLab at Georgia Tech reported a critical vulnerability in the way Enzyme Finance calculated the prices of Idle tokens when buying shares. Using a flashloan from IdleTokenGovernance.sol affected the totalSupply of the Idle tokens, which was used to calculate the price of the token. Price calculations were based on the totalNav / totalSupply of the tokens. It’s worth noting the initial Idle Token integration was with v4, which did not have any flashloan logic. That was later added in v5, thus unintentionally introducing a bug into Enzyme’s Finance protocol.

Enzyme issued a payout of $90,000 to setuid0 the same week.

info.png

DISCLAIMER: While web3rekt has used the best efforts in aggregating and maintaining this database, this web site makes no representations or warranties with respect to the accuracy or completeness of its information and data herein, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose. 

Under no circumstances, shall web3rekt be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the data and information derived from this database.