The recent DeFi attack has exposed vulnerabilities in the ERC-4626 vault standard.

A recent attack in the DeFi space has highlighted weaknesses in cryptocurrency storage systems, specifically the ERC-4626 vault. The hacker exploited a familiar tool called flash loan (quick loan, borrowing and repaying instantly in a moment) to manipulate the exchange rate and deceive the pricing system, also known as oracle.

On February 27, a hacker executed what is called a “donation attack” by borrowing about 4 million USD from Aave – a cryptocurrency lending platform. The target was the wUSDM token, part of the ERC-4626 vault system of Mountain Protocol. This is a profit-generating cryptocurrency linked to the USDM stablecoin – a cryptocurrency with stable value due to being backed by short-term U.S. bonds. The hacker intentionally pushed the exchange rate of wUSDM from 1.06 to 1.7, making it appear more valuable than it actually is.

Next, the hacker used two accounts to “liquidate” – that is, pretended to sell their own assets – on Venus Protocol, another lending platform. Although Venus quickly locked the transactions to prevent this, the hacker still pocketed about 200,000 USD in profit. Meanwhile, Venus suffered losses of over 716,000 USD, according to an analysis report from Chaos Labs, a company specializing in risk management.

Yoni Keselbrener, head of the DeFi department at Lightblocks Labs, shared with The Block: “Both teams responded in a timely manner by locking the market, adjusting risk rules, and bringing the exchange rate back to normal levels.” Keselbrener is a contributor to eOracle, a system that provides real-world data for decentralized applications on Ethereum.

Vault ERC-4626, launched in May 2022, is the standard for creating cryptocurrency vaults. However, a report by Chaos Labs indicates that this standard “lacks safeguards when exchange rates fluctuate abnormally on lending platforms.”

In January 2024, Euler Finance published a research warning that most ERC-4626 vaults lack safety mechanisms to prevent exchange rate manipulation. They argue that multiple protective measures need to be combined for greater effectiveness.

Chaos Labs also stated that the attack could have been avoided if measures such as: “wUSDM contracts should use an exchange rate checking system from multiple sources. Or if Venus had been warned early, they could have limited the unusual increase in exchange rates.” To prevent recurrence, Aave plans to implement the CAPO mechanism – a tool to limit artificial price increases – for all profitable cryptocurrencies, preventing hackers from generating fake profits.

Account X of Curve Finance commented: “This vulnerability occurs not only with standard vaults but with all types of vaults. This is a common mistake seen in lending platforms.”

Keselbrener commented: “The CAPO mechanism is very effective, but requires additional complex programming and needs to be monitored continuously. We must ensure it does not hinder legitimate profits while still preventing hackers.” He added: “As DeFi becomes increasingly complex, we cannot rely solely on simple price data. It is essential to understand the risks of each cryptocurrency. A price checking system from multiple sources is not a drawback, but an important layer of protection. Specialized oracle providers can design measures to detect and prevent such attacks.”

Disclaimer: This article is for informational purposes only and should not be considered investment advice. Investors should conduct thorough research before making any decisions. We are not responsible for your investment decisions.

• Thailand approves USDT and USDC, expanding cryptocurrency trading
• The California financial regulator warns about 7 new types of cryptocurrency and AI scams.
• Microsoft discovers Trojan StilachiRAT attacking cryptocurrency wallets on Google Chrome remotely.

Thach Sanh

@media only screen and (min-width: 0px) and (min-height: 0px) { div[id^=“wrapper-sevio-d89f58f5-7b63-40be-98c0-6b1fd62584fb”] { width:320px; height: 100px; } } @media only screen and (min-width: 728px) and (min-height: 0px) { div[id^=“wrapper-sevio-d89f58f5-7b63-40be-98c0-6b1fd62584fb”] { width: 728px; height: 90px; } }