Bent Update
1/ As the Bent Finance dev team ramped up security processes by migrating contract ownership to multisig wallets, there was a brief timeframe when a rogue dev had the opportunity to inject an exploit on 2 pools. This happened 3 days before multisig wallets were in place and, therefore, the dev would never have the opportunity again.
2/ An exploit was discovered after Bent Finance was added to debank https://twitter.com/DeBankDeFi/status/1473077001267253248?s=20 and the community alerted us to the exploiter wallet with large deposits.
3/ Bent Finance immediately initiated conversations with 2 whitehat hackers who uncovered the exploit.
4/ Backstory: on Nov-30–2021 01:09:27 PM +UTC the Bent Deployer wallet upgraded the curve pool contracts in order to hardcode maximum fees to 17% of earnings.
The exploiter slipped in a malicious contract that enabled the cvxcrv and mim pools to have hardcoded user balances, then deployed another contract to cover it up.
2/ The exploiter used the following transactions to hardcode the balance of their account (0xd23cFFFa066F81c7640E3F0dc8Bb2958F7686D1F) in the cvxcrv and mim pool to a significant amount beyond the TVL in the pool.
- https://etherscan.io/tx/0xf711641ea9814d78780c8a51ad734ad44d58baf3f97256a3f5ec3200a29eadc7
- https://etherscan.io/tx/0xd5e0d4ab279f6a0f8635307869471d7934cffa4086ec93d26e9e9c6a98ae9fef
- https://etherscan.io/tx/0xb37ffd779c26d1bf3105719662136af34090050abd962ab59e24d81cc7f63a07
- https://etherscan.io/tx/0x05328c4c128f65d8bed0ab8293fd0ce24bfbf9ce26591860d4bf90ac64b87267
More details: https://blog.hexens.io/whats-up-with-bent-finance-hack-bc6aa3d3ada
4/ The exploiter has since withdrawn 513K cvxcrv LP tokens in these transactions:
https://etherscan.io/tx/0x0b2ce2f3822e09ca280d22e969d41b08e0df3ccfc75db08287e0e0c091dd6d50
https://etherscan.io/tx/0x4010b3b64336dc0a340a69010008f7b3fa3842466b2641a6961d888a771f5468
To date, no MIM has been withdrawn — we encourage all users to withdraw their MIM LP now.
As of now the 513k cvxcrv LP has been stolen , we are working to recover this directly from the rogue dev, if we are unable, we will institute a plan for community recovery. If you have been effected , please get in contact with @swishedd in the discord or telegram.
5/ Several attackers have attempted exploits on Bent contracts since our announcement. All attempts failed.
6/ The cvxcrv and mim curve pools on Bent are the only pools affected.
Please keep in mind that as of now we have had to disable reward claims from the cvxcrv and mim pools. We will take a snapshot of user rewards owed at time of exploit and address it after all critical issues are put to rest.
In order to rectify any future exploits the following transactions have occurred:
- Remove bent mint role from the BentPoolManager
https://etherscan.io/tx/0x405f558a7dfb0f156890c86bf78e92bfb26df7a95af5e3ecea420adf2bae1f1f
- Remove exposed cvxcrv and mim pool from pool manager, since removed reward distributions can no longer be claimed:
https://etherscan.io/tx/0x9903e1af022adba25f41b02fc7a75d85c58a8d1fb8df4bd8d4b427b74c4b8d90
https://etherscan.io/tx/0x630565686d58b5ed1b361cd1eb736e861deb8dc9ced753bf5b55861efa4cec7d
- Transfer bent single staking proxy ownership to multisig:
https://etherscan.io/tx/0xd2dff8a978e27d41d5d2d29ecc5b11b0aff042929fab70c3c0afb7cc7e266852
7/ Transfer of BentCVXSingle Staking contracts (yet to be announced product), as a precaution.
- Transfer bentCVXSingleStaking proxy admin ownership:
https://etherscan.io/tx/0x053a5f7939e6e82a4be7b4fcbaf6829ad65df4fdcd8bcc13a8e2a8a3e1bc34e7
- Transfer bentCVXSingleStaking contract ownership:
https://etherscan.io/tx/0x34e9d82fb552dc35776ceacea7336983aded93af0a5e470b892cd19982bc6a4e
- Transfer bentCVXRewarderCVXEarnings contract ownership:
https://etherscan.io/tx/0xc46826177ab8098fc97bac31b2fcd15da7a808014c98a1fa186925c02f86ec94
- Transfer bentCVXRewarderBentEarnings contract ownership
https://etherscan.io/tx/0x0bf31e999c691e2a8680cf713495086fbac77224bba46346ca0d9beea8903fc6
- Transfer bentCVXRewarderMasterchef contract ownership:
https://etherscan.io/tx/0x66e7551ebb7c58175f9cdcee7a6ca7886bd57e8521624080841cca33d0726b72
- Reset Fees to 1% Harvester, 6% Bent Single Staking, 0% BentCVX Single Staking (also reset address):
https://etherscan.io/tx/0x0205ac5223ea7a0fea7d2c07fcc8bdd49d3aa4be520faaa34b10e9b81c49687d
Summary: all ownership of Bent contracts are completely on Bent Finance multisig, of which the old Bent Deployer exploiter has no control.
Next Steps:
- Rouge dev has been passed on to relevant authorities as the investigation continues.
- We are working to recover the stolen funds directly from the rogue dev, if we are unable, we will institute a plan for community recovery. If you have been effected, please get in contact with us in the discord or telegram groups.
- Bent AMA in discord with the team, to answer any further questions (time to be set soon)
- Re-enable claiming of rewards on all unaffected pools within 24hrs — funds are safe!
- Full code re-audit in process, no issues so far.
- Redeploy the 2 affected pools (cvxcrv, mim)
- Considering integrating time lock functionality to future contracts
- Further confirmation from second auditors that deployed contracts are perfect
- Open pools to public on the front end website.
