link.png

ID:

mushrooms-finance-1145

Date:

Status:

Incident Count:

April 27, 2021

Near-Miss

2

info.png
target.png
REKT

Contributor:

chain.png

web3rekt.com

KYC By:

KYC:

None

info.png

Audit By:

Audits:

None

Loss Amount:

-

info.png

Recovered:

-

Rewards:

4,000

Currency:

USD

info.png

Key Indicators

Platform:

Type:

Category:

Method:

Data Sources:

Multi-chains

Protocol

Dexes

Rewards - Bug Bounties

Extended Method:

As the result of two transactions which sandwich the victim transaction in the middle, where the victim transaction is the harvest function.

info.png

Days in Operation:

0

chain.png
chain.png
chain.png
chain.png
datasource.png

Whitehat Wen-Ding Li reported a vulnerability in Mushrooms Finance classified as “high” to Immunefi on April 27. The vulnerability was a theft of yield, but the attack was not a flash loan. Rather, the attack was an MEV (miner-extractable value) attack with flash bots, which is similar but distinct from a flash loan.

Regrettably, the vulnerability was exploited twice (block 12312954 (~0.0345 eth) and block 12319752 (~0.0504 ETH)) prior to Wen-Ding Li’s report, leading to a loss of ~$222 in total. Mushrooms Finance has since patched the vulnerability. If this attack had not been mitigated swiftly by Mushrooms, it would have been repeatable.

Theft of yield vulnerabilities occur when an attacker finds a way to steal the yield (not original user funds) generated from some on-chain financial activity like staking.

info.png

DISCLAIMER: While web3rekt has used the best efforts in aggregating and maintaining this database, this web site makes no representations or warranties with respect to the accuracy or completeness of its information and data herein, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose. 

Under no circumstances, shall web3rekt be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the data and information derived from this database.