1/How @ElevenFinance got hacked? 🧵

The exploit was possible due to a bug in emergencyBurn() function of ElevenNeverSellVault.

There is a transfer of previously deposited funds during the function call, but there is a lack of burning of Nerve shares to account for the transfer Image
2/ In other words, an attacker could double-spend Nerve shares he acquired during initial deposit to the vault.

emergencyBurn() didn’t burn 11NRV Tokens so an attacker used them in “withdrawAll()” to get additional LP Tokens in return.
3/ He burned LP Tokens on PancakeSwap getting the underlying tokens.

After repaying the FlashSwap, attacker was left with funds from burning second time the 11NRV Tokens.

This was done on multiple vaults on ElevenFinance, marking a total loss of $4.5M.
4/4 If you’re interested in learning in more detail what happened in the transaction, check out my newest blog post.


#DeFi #DeFiYieldProtocol #BSC #infosecurity #CryptoTwitter #infosec #cybersecutiy #cryptocurrencies #crypto

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Adrian ⛩️ Hetman 🐺⚔️

Adrian ⛩️ Hetman 🐺⚔️ Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @adrianhetman

24 Jun
1/ Do you think ERC20 approve() is safe? Well… 🧵

Function in itself is safe but there are two scenario where ERC20 approve() shows its rough edges.

First is a front-running attack on approve().

Imagine following scenario 👇
* Alice approves Bob for 20 Tokens
* After some time, Alice changes approve to 10
* Bob front-runs the Alice TX for approve(10)
* Bob spends 20 Tokens
* Alice TX passes
* Bob spends additional 10 Tokens from Alice.

Why is that?
3/ Attack is also possible because approve() overrides current allowance.

It doesn’t increase/decrease allowance in atomic manner.

How can we limit against that?

There are two approaches to limit the attack vector.
Read 15 tweets
21 Jun
1/ Why China is cracking down on #Bitcoin? 🧵

Currently many of the Chinese provinces where Bitcoin miners resided, rolled out new policies restricting or banning the #BTC miners.

Inner Mongolia, Xinjiang, Yunnan and Sichuan banned Bitcoin.
2/ Energy companies were told to stop providing energy to crypto miners due to them using too much electricity.

It became an illegal activity to mine cryptocurrencies. If someone would be found to do so regardless, they would be added to the blacklist of social credit system.
3/ All decision seems to be linked mainly with Energy usage.

China plans to achieve carbon neutrality by 2060 and reducing carbon intensity or the amount of carbon emitted per unit of GDP, by more than 65% by 2030.

Bitcoin mining ban can help with that.
Read 13 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!