1/ As the Bent Finance dev team ramped up security processes by migrating contract ownership to multisig wallets, there was a brief timeframe when a rogue dev had the opportunity to inject an exploit on 2 pools. This happened 3 days before multisig wallets were in place and, therefore, the dev would never have the opportunity again.
2/ An exploit was discovered after Bent Finance was added to debank https://twitter.com/DeBankDeFi/status/1473077001267253248?s=20 and the community alerted us to the exploiter wallet with large deposits.
3/ Bent Finance immediately initiated conversations with 2 whitehat hackers who uncovered the exploit.
4/ Backstory: on Nov-30–2021 01:09:27 PM +UTC the Bent Deployer wallet upgraded the curve pool contracts in order to hardcode maximum fees to 17% of earnings.
The exploiter slipped in a malicious contract that enabled the cvxcrv and mim pools to have hardcoded user balances, then deployed another contract to cover it up.
2/ The exploiter used the following transactions to hardcode the balance of their account (0xd23cFFFa066F81c7640E3F0dc8Bb2958F7686D1F) in the cvxcrv and mim pool to a significant amount beyond the TVL in the pool.
4/ The exploiter has since withdrawn 513K cvxcrv LP tokens in these transactions:
To date, no MIM has been withdrawn — we encourage all users to withdraw their MIM LP now.
As of now the 513k cvxcrv LP has been stolen , we are working to recover this directly from the rogue dev, if we are unable, we will institute a plan for community recovery. If you have been effected , please get in contact with @swishedd in the discord or telegram.
5/ Several attackers have attempted exploits on Bent contracts since our announcement. All attempts failed.
6/ The cvxcrv and mim curve pools on Bent are the only pools affected.
Please keep in mind that as of now we have had to disable reward claims from the cvxcrv and mim pools. We will take a snapshot of user rewards owed at time of exploit and address it after all critical issues are put to rest.
In order to rectify any future exploits the following transactions have occurred:
- Remove bent mint role from the BentPoolManager
- Remove exposed cvxcrv and mim pool from pool manager, since removed reward distributions can no longer be claimed:
- Transfer bent single staking proxy ownership to multisig:
7/ Transfer of BentCVXSingle Staking contracts (yet to be announced product), as a precaution.
- Transfer bentCVXSingleStaking proxy admin ownership:
- Transfer bentCVXSingleStaking contract ownership:
- Transfer bentCVXRewarderCVXEarnings contract ownership:
- Transfer bentCVXRewarderBentEarnings contract ownership
- Transfer bentCVXRewarderMasterchef contract ownership:
- Reset Fees to 1% Harvester, 6% Bent Single Staking, 0% BentCVX Single Staking (also reset address):
Summary: all ownership of Bent contracts are completely on Bent Finance multisig, of which the old Bent Deployer exploiter has no control.
- Rouge dev has been passed on to relevant authorities as the investigation continues.
- We are working to recover the stolen funds directly from the rogue dev, if we are unable, we will institute a plan for community recovery. If you have been effected, please get in contact with us in the discord or telegram groups.
- Bent AMA in discord with the team, to answer any further questions (time to be set soon)
- Re-enable claiming of rewards on all unaffected pools within 24hrs — funds are safe!
- Full code re-audit in process, no issues so far.
- Redeploy the 2 affected pools (cvxcrv, mim)
- Considering integrating time lock functionality to future contracts
- Further confirmation from second auditors that deployed contracts are perfect
- Open pools to public on the front end website.