Vesper Rebase Vulnerability Postmortem and Bug Bounty

Summary

The Dedaub Team, led by Yannis Smaragdakis and Neville Grech, requested disclosure assistance from Immunefi for a vulnerability found in the bluechip DeFi project Vesper on March 16. The maximum funds at risk historically appears to have been 78.6 ETH, a third of which would have gone to fees as part of the attack. This vulnerability was never exploited by any malicious actors, and Vesper quickly introduced a fix. No original user funds were at risk, since the exploit targeted yields. Following the disclosure and fix, Vesper is joining Immunefi with a smart contract bug bounty for $200,000 and engaging Dedaub for an audit of Vesper contracts.

A more exhaustive technical analysis of this general attack vector of yield skimming is available on Dedaub’s Medium.

Vulnerability Analysis

In this now-addressed Vesper vulnerability, a malicious user could have stolen the yield generated by Vesper’s strategies through intercepting the rebalance swap from the WETH/VSP pool on Uniswap. While the original user funds remain intact, the yield would have gone to the attacker upon that yield’s distribution.

If this attack had been executed, it’s likely that it would not have been repeatable because the on-chain activity would make it obvious that an exploit had occurred, prompting a level of investigation that would have resulted in a patch. As a one-off yield skimming attack, the malicious user would have been able to steal a maximum of 78.6 ETH.

From a high-level, the problem specifically was with the rebalance method. When rebalance is called, it takes the yield in the underlying asset and uses that asset to buy VSP, which increases the price of VSP. That is how the strategy generates returns to stakeholders, as VSP holders are entitled to a pro rata percentage of the yield that the use of the underlying asset produces. That is the purpose of Vesper’s rebalance bot, which calls rebalance in order to distribute yield to holders through inflating the price of Vesper.

But what if rebalance could have been called by anyone and then exploited to steal that yield?

The step-by-step walkthrough of the vulnerability shows how.

1. Take a flash loan in WETH

2. On Uniswap, swap the WETH for VSP. Now, the pool has significantly more WETH than VSP, so VSP becomes more expensive

3. Call VVSP.rebalance (deployed to 0xba4cfe5741b357fa371b506e5db0774abfecf8fc)

4. VVSP.rebalancecalls VSPStrategy.rebalance (deployed to 0xd5579a994194c142846abafa5919fbad0ae32aa2) which calls VSPStrategy._rebalanceEarned, which executes a swap. In this case, the swap swaps wBTC for WETH and WETH for VSP.

6. When WETH is swapped for VSP at the inflated VSP price (due to the flash loan and swap in steps 1–2), and the strategy contract doesn’t get as much VSP for its WETH as ordinary market conditions would dictate, so when the flash loan is swapped back, most of the WETH that the rebalance put in ends up in the hands of the flash loaner. In other words, the attacker ends up with most of the WETH from rebalance, minus flash loan and swap fees, despite not participating in the yield farming at all.

With Vesper, there is a cooldown period on calling rebalance. The assumption was that the bot would call rebalance and properly distribute yield as soon as that window opened. That assumption turned out to be wrong, meaning that yield could be stolen by a malicious user calling rebalance during a flash loan before the bot could.

Vulnerability Fix

Vesper patched the vulnerability by increasing the frequency of rebalances called by the bot, such that each individual rebalance is smaller than the flash loan and swap fee that an attacker would have to pay to borrow that much ETH to execute the attack in the first place. If there’s no profit, then there’s no attack.

Acknowledgements

We’d like to thank the Vesper team for their professionalism and quick response to the disclosure. Vesper has paid out an undisclosed bounty to the Dedaub Team and thanks Immunefi for helping to facilitate disclosure assistance. Vesper has now decided to host a bug bounty on Immunefi, which is yet another sign that Vesper takes security and responsibility seriously. This bug bounty is live as of today. If you’re interested in protecting your project with a bug bounty like Vesper, visit the Immunefi services page and fill out the form.