bg

Decoding Vowcurrency’s $1.2 Million Exploit

Updated at: September 18, 20247 Mins Read

Author: QuillAudits Team

Summary

On August 13, 2024, Vowcurrency protocol on the Ethereum chain was attacked due to improper access control in setUSDRate function. The attackers exploited this vulnerability and stole approximately $1.2 million.



TL;DR

Exploit Overview

On August 13, 2024, an attacker exploited a vulnerability in the Vowcurrency Protocol, resulting in the loss of 175 ETH, 595,970 USDT, and 5,801,632 VOW tokens.

 

1

Attack Details

  1. Rate Manipulation: The attacker changed the USD rate of VOW tokens from 1 to 100 and then back to 1.

  2. Minting Advantage: This rate change allowed them to mint vUSD at a rate 100 times higher than normal.

  • Financial Impact
    Swapped Assets: The attacker converted assets into 452 ETH (~$1.2M).

Attacker Details:

  1. Attacker Address 1: 0x48de6bF9e301946b0a32b053804c61DC5f00c0c3
    Attacker Address 2: 0xbA1be907f532Ff6bb0088279e0f3DCDdD693aC7c
  2. Attacker Contract: 0xB7F221e373e3F44409F91C233477ec2859261758
  3. Victim Contract: 0x1BBf25e71EC48B84d773809B4bA55B6F4bE946Fb

 

About the Project

VowCurrency is a free-floating ERC777 token on Ethereum used to mint voucher (v) currencies. Initially issued by Vow Limited, VOW tokens are burned over time, reducing their supply from the original 1.14 billion.


Vulnerability Analysis and Impact

On-Chain Details:

Attacker Address 1:
https://etherscan.io/address/0x48de6bF9e301946b0a32b053804c61DC5f00c0c3

Attacker Address 2: 

https://etherscan.io/address/0xbA1be907f532Ff6bb0088279e0f3DCDdD693aC7c

Attack Contract:
https://etherscan.io/address/0xB7F221e373e3F44409F91C233477ec2859261758

Vulnerable Contract:
https://etherscan.io/address/0x1BBf25e71EC48B84d773809B4bA55B6F4bE946Fb

Attack Transaction:
https://etherscan.io/tx/0x758efef41e60c0f218682e2fa027c54d8b67029d193dd7277d6a881a24b9a561
 

6+

Years of Expertise

$30B+

Secured in Digital Assets

1M+

Lines of Code

1K+

Projects

The Root Cause

The lack of validation in the setUSDRate function in the smart contract which allows the attacker to rapidly change the rate without restrictions.

Moreover, the lack of mechanism to track or delay rate changes which assists the attacker to do exploit.


2

Attack Process

Private Key Exposure:

  • Leakage: The private key of the usdRateSetter for the VOW Token was leaked, enabling unauthorized access and manipulation of rate settings.
     

Contract Deployment and Funding:

  • Deployment: The attack contract (0xB7F221e373e3F44409F91C233477ec2859261758) was deployed 110 days prior to the attack.
     
  • Funding: This contract was funded through Tornado Cash, a common tool for anonymizing crypto transactions.
     

Rate Manipulation:

  • MEV Bot Role: An MEV bot, controlled by the attacker, was used to manipulate the vUSD rate. The bot changed the rate from 1 to 100, inflating the value of vUSD received per VOW token on Ethereum block 20519307.

  • Minting vUSD: The attack contract then minted a large amount of vUSD at this inflated rate.

    4
     

Token Swapping:

  • Token Swapping: The attacker used the minted vUSD to swap approximately 26,107,347 VOW tokens for 175.4778 ETH and 595,970 USDT.

Rate Reversion:

  • Reversion: After the exploit, the attacker reverted the vUSD rate back to its original value (1) on Ethereum block 20519316.

    3

 

Final Outcome:

  • Price Impact: Following the exploit, the VOW token price plummeted by 87%, now trading at $0.04.
  • Attacker's Holdings: The attacker currently holds approximately 452 ETH, valued at ~$1.21M.
     

Flow of funds

https://metasleuth.io/result/eth/0x758efef41e60c0f218682e2fa027c54d8b67029d193dd7277d6a881a24b9a561


5


After Exploit

The Vowcurrency team focused on mitigating the impact of this attack and restoring normal operations as quickly as possible and they are implementing the additional safeguards to prevent similar issues from occuring in the future.


How could they have prevented the Exploit?


To enhance security and mitigate vulnerabilities, the team should consider several measures. First, deploy a parallel version of the contract on a testnet or sandbox environment where no real assets are at risk. This approach allows for thorough testing and validation before making any changes to the main contract.


Implementing real-time monitoring and alert systems is also crucial. These systems should notify the team of significant contract activities, such as large minting events, to catch any irregularities early.


Engaging external security experts for code reviews is another key step. Partnering with a reputable security firm like QuillAudits can provide comprehensive audits and testing, helping to identify and address potential weaknesses before deployment.


Finally, establish a rigorous internal review process for all updates. This ensures that every change is carefully vetted and validated, reducing the risk of similar exploits in the future.

Beyond words we dedicate ourselves to pioneering the web3 industry towards a secure future

DSA MemberTS GovBWA LogoCoinweb Logo
Check Our Pricingarrow
Need Integration Support?

Need Integration Support?

Talk to an expert

Explore QuillShield

Explore QuillShield

Get Free Audit Credits

Visit QuillCheck

Visit QuillCheck

Detect Rug Pulls on the Go

Subscribe to our Newsletter

Your weekly dose of Web3 innovation and security, featuring blockchain updates, developer insights, curated knowledge, security resources, and hack alerts. Stay ahead in Web3!

Telegram