Analysis of the flash loan attack on the Nerve-related Smart Pool in Eleven Finance

BTC0.0₂₀

ETH0.0₂₀

HTX0.0₂₀

SOL0.0₂₀

BNB0.0₂₀

BTC0.0₂₀

ETH0.0₂₀

HTX0.0₂₀

SOL0.0₂₀

BNB0.0₂₀

Analysis of the flash loan attack on the Nerve-related Smart Pool in Eleven Finance

创宇区块链安全实验室

2021-06-23 06:55

本文约826字，阅读全文需要约3分钟

On June 23, the smart pool related to Nerve in the revenue aggregator Eleven Finance may be attacked by flash loans.

secondary title

process

https://bscscan.com/tx/0x6450d8f4db09972853e948bee44f2cb54b9df786dace774106cd28820e906789

Transaction link:

1. The attacker first borrowed USDT through flash loans and then converted part of it into NRV tokens, and then used NRV tokens and USDT to add liquidity on pancakeswap to obtain LP tokens.

2. After the attacker gets the lp token, he calls the NRV token that will harvest the mining contract MasterMind (0x2EBe8CDbCB5fB8564bC45999DAb8DA264E31f24E) and converts it from the machine gun pool to 11NRV tokens, so that the attacker has LP tokens (BUSDT and NRV) and 11NRV tokens.

3. Then the attacker calls the ElevenNeverSellVault (0x27DD6E51BF715cFc0e2fe96Af26fC9DED89e4BE8) contract to add liquidity and obtain 11nrv BUSD tokens.

4. The problem is that after adding liquidity to obtain tokens, the ElevenNeverSellValpult contract has an emergency destruction function, which can withdraw the token balance in the contract, so that the user can withdraw LP from the mining contract (MasterMind) by calling this function again balance.

6. Finally, the attacker will get a total of 82W LP tokens twice to cancel liquidity in pancakeswap, obtain NRV tokens and BUSDT, and then convert NRV to BUSDT to repay the flash loan and complete the arbitrage.