Belt Finance got hacked today, losses worth ~$13mm. Withdrawals have been paused to prevent further losses. The exploit happened due to an incorrect valuation of 3eps shares. This was one of the more complex hacks in recent times🧵👇 
The exploit was in the beltBUSD vault's Elipsis strategy. The vault uses multiple strategies: Elipsis, Venus, Alpaca, and Fortube. Although the exploit happened due to a bug in Elipsis strategy, funds were leaked via the Venus strategy.
This actually derailed my analysis a bit since I initially focused on the Venus strategy. Only when I took a step back, I realized what's actually going on. It was just luck that Venus strategy was the most undersubscribed strategy at the start of the exploit so it got used.
The way beltBUSD multi-strategy vault works is that it has a target balance for all strategies. When anyone deposits money, it deposits it into the most undersubscribed strategy. When someone withdraws money, it withdraws it from the most oversubscribed strategy.
At the start of the exploit, Venus was most undersubscribed and hence the deposits went towards it. After the large deposit from the attacker, Venus became the most oversubscribed strategy and hence, the withdrawals came from it as well.
When issuing or redeeming vault shares, the vault calculates the value of a vault share by adding up the value of all strategies. During the attack, the value of the Elipsis strategy was incorrectly calculated to be higher than the actual value.
As a result, the vault assumed that the value of a share is higher than it actually is. When the attacker withdrew money from it by redeeming their shares, they ended up getting more than they should have (~$1mm more per ~$200mm withdrawal).
The real issue is that the Elipsis strategy sums up the token balances of 3eps pool to calculate its value. This assumption is only true when the pool is balanced. You will get an incorrect value by this assumption in case the pool is unbalanced.
The attacker took a flash loan at the start of the transaction. They then deposited a bunch of money (~200m) in the Belt vault at the normal valuation of the share. The attacker then unbalanced the 3eps pool by swapping ~190m BUSD to ~170m UST.
Due to this unbalancing, the belt pool now thinks that its shares are worth more than they actually are. The attacker then withdrew the money they deposited in the belt pool earlier and got about 0.5% extra (~1m extra on ~200m deposit).
The attacker repeated the above two steps many times over multiple transactions, netting about ~6.2m in total after accounting for the flash loan fees and price slippage in swaps. The 3eps pool made ~6m in fees.
Basically, the Issue happened because belt incorrectly integrated with Elipsis. A similar issue happened last month as well in belt finance but at that time, the problem was a buggy integration with Venus. I wonder if belt has any bug-free integration.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
