link.png

ID:

veth-510

Date:

Status:

Incident Count:

July 1, 2020

Verified

1

info.png
target.png
REKT

Contributor:

chain.png

zerofriction.io

KYC By:

KYC:

None

info.png

Audit By:

Audits:

None

Loss Amount:

3,630

info.png

Recovered:

-

Rewards:

Currency:

USD, VETHER

info.png

Key Indicators

Platform:

Type:

Category:

Method:

Data Sources:

Protocol

Contract Vulnerabilities

Extended Method:

Logic error, no access control

info.png

Days in Operation:

0

chain.png
chain.png
chain.png
chain.png
datasource.png

Before going forward, we need to note that Strictly-Scarce loves simplicity. So much so that Vether V3 had the ability to upgrade from V2 to V3 and skip an approval step, breaking from the ERC-20 standard.
You also need to know that Vether has a little used feature. You have the ability to exclude an address from the transfer fee of 10 basis points built into Vether. For most folks this is unnecessary, but this feature played a big role in the exploitation of Vether V3.
Feeling the pressures of a potential illegitimate grab of the remaining Vether V2, the community and dev pushed out V3. Unbeknownst to most upgraders, there was a fatal flaw created by the shortcut created for upgrading from V2 to V3.
By paying the 128 Vether fee, someone could control all of the Vether V3 using the flaw in the code. This came to light when someone anonymous (we’ll call this person “Anon”) bought Vether off Uniswap and then paid the 128 exclusion fee. They then claimed all the Vether in the Vether contract. About 900,000 Vether. They then dumped 150,000 Vether into Uniswap and pulled out ~15 Ethereum (not $900,000 as you may have read on Twitter). This devalued all Vether V3 and destroyed its value.

info.png

DISCLAIMER: While web3rekt has used the best efforts in aggregating and maintaining this database, this web site makes no representations or warranties with respect to the accuracy or completeness of its information and data herein, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose. 

Under no circumstances, shall web3rekt be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the data and information derived from this database.