On August 13, 2024, Vowcurrency protocol on the Ethereum chain was attacked due to improper access control in setUSDRate function. The attackers exploited this vulnerability and stole approximately $1.2 million.
Exploit Overview
On August 13, 2024, an attacker exploited a vulnerability in the Vowcurrency Protocol, resulting in the loss of 175 ETH, 595,970 USDT, and 5,801,632 VOW tokens.
Attack Details
Minting Advantage: This rate change allowed them to mint vUSD at a rate 100 times higher than normal.
Attacker Details:
VowCurrency is a free-floating ERC777 token on Ethereum used to mint voucher (v) currencies. Initially issued by Vow Limited, VOW tokens are burned over time, reducing their supply from the original 1.14 billion.
On-Chain Details:
Attacker Address 1:
https://etherscan.io/address/0x48de6bF9e301946b0a32b053804c61DC5f00c0c3
Attacker Address 2:
https://etherscan.io/address/0xbA1be907f532Ff6bb0088279e0f3DCDdD693aC7c
Attack Contract:
https://etherscan.io/address/0xB7F221e373e3F44409F91C233477ec2859261758
Vulnerable Contract:
https://etherscan.io/address/0x1BBf25e71EC48B84d773809B4bA55B6F4bE946Fb
Attack Transaction:
https://etherscan.io/tx/0x758efef41e60c0f218682e2fa027c54d8b67029d193dd7277d6a881a24b9a561
The lack of validation in the setUSDRate function in the smart contract which allows the attacker to rapidly change the rate without restrictions.
Moreover, the lack of mechanism to track or delay rate changes which assists the attacker to do exploit.
Private Key Exposure:
Contract Deployment and Funding:
Rate Manipulation:
Token Swapping:
Rate Reversion:
Final Outcome:
https://metasleuth.io/result/eth/0x758efef41e60c0f218682e2fa027c54d8b67029d193dd7277d6a881a24b9a561
The Vowcurrency team focused on mitigating the impact of this attack and restoring normal operations as quickly as possible and they are implementing the additional safeguards to prevent similar issues from occuring in the future.
To enhance security and mitigate vulnerabilities, the team should consider several measures. First, deploy a parallel version of the contract on a testnet or sandbox environment where no real assets are at risk. This approach allows for thorough testing and validation before making any changes to the main contract.
Implementing real-time monitoring and alert systems is also crucial. These systems should notify the team of significant contract activities, such as large minting events, to catch any irregularities early.
Engaging external security experts for code reviews is another key step. Partnering with a reputable security firm like QuillAudits can provide comprehensive audits and testing, helping to identify and address potential weaknesses before deployment.
Finally, establish a rigorous internal review process for all updates. This ensures that every change is carefully vetted and validated, reducing the risk of similar exploits in the future.
Your weekly dose of Web3 innovation and security, featuring blockchain updates, developer insights, curated knowledge, security resources, and hack alerts. Stay ahead in Web3!