link.png

ID:

yearn-finance-1274

Date:

Status:

Incident Count:

November 1, 2022

Verified

2

info.png
target.png
REKT

Contributor:

chain.png

web3rekt.com

KYC By:

KYC:

None

info.png

Audit By:

Audits:

None

Loss Amount:

-

info.png

Recovered:

-

Rewards:

Ticker:

USD, SPELL

info.png

Key Indicators

Platform:

Type:

Category:

Method:

Data Sources:

Ethereum

Protocol

Dexes

Contract Vulnerabilities

Extended Method:

Logic error in calculating bribe allocations

info.png

Days in Operation:

536

(1.47 Years)

chain.png
chain.png
chain.png
chain.png
datasource.png

yearn security team has discovered a vulnerability in a third-party BribeV2 contract and made disclosures to the relevant parties and have released a new fixed contract for everyone to use.

During a routine check, irregularities were discovered in the amount of SPELL bribes being claimed by some users of the BribeV2 contract. Following analysis, it was determined to be an attacker exploiting a flaw in the way the contract calculates bribe allocations since Sep 2021.

The flaw causes bribes to be allocated based on each user's locked amount of CRV rather than allocating based on their veCRV balance.

BribeV2 incorrectly uses a user's slope (which is determined by the amount of CRV they lock). This is a critical flaw because it allows someone with a short lock to get paid out at an equal rate to someone with a long lock on the same amount.

The combination of the two means there is an exploit where a user can:

1. Lock 1m CRV for the minimum amount of time (7 days)
2. Vote for a gauge with a veCRV balance of 4,808 (1m CRV / 208 weeks) but claim rewards based on a gauge vote of 1m veCRV.
3. Withdraw 1m CRV as soon as possible
4. Continue to claim rewards every week forever

Because the CRV can be withdrawn after a week, an exploiter can cycle the same CRV through multiple wallets getting perpetual rewards forever on each.

Loss amount was not provided.

info.png

DISCLAIMER: While web3rekt has used the best efforts in aggregating and maintaining this database, this web site makes no representations or warranties with respect to the accuracy or completeness of its information and data herein, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose. 

Under no circumstances, shall web3rekt be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the data and information derived from this database.