wstETH/ETH Vault Post Mortem

# wstETH/ETH Vault Post Mortem ## Root Cause User can borrow USX by depositing curve LP as collateral. https://chainsecurity.com/heartbreaks-curve-lp-oracles/ The lp price can be manipulated, leading to the risk of liquidation of all vault users ## Sequence on Optimism - Flashloan 6037.754609353686 ETH from Aave - 17674.854202303984 ETH - Add 23712.60881165767 ETH into curve wstETH/ETH pool get 22851.167989510723 wstETHCRV - Transfer 2335.1648351648355 wstETHCRV-gauge to 0x53c5 - 0x53c5 Deposit 2335.1648351648355 wstETHCRV-gauge into vault - 0x53c5 borrow 2550000 USX and transfer to 0xee29 - **burn 20516.003154345883 wstETHCRV, get 18642.131831461033 ETH / 2309.6087795125472 wstETH** - 0xee29 liquidate 0x53c5, 1275000 USX for 2159.9455 wstETHCRV-gauge - Other liquidations - redeem 2364.9530815689077 wstETHCRV-gauge from vault - burn 2364.9530815689077 wstETHCRV, get 2148.9452302257287 ETH / 266.23686686116383 wstETH - repay flash loan 17674.854202303984 ETH - repay 6037.754609353686 ETH - ## Asset Flow ## Protocol Damage | Chain | wstETHCRV-gauge | USX | value($) | price(wstETHCRV-gauge) | price(ETH-USD) | |:-------- | -------------------:|:-------------------- |:------------------:|:----------------------- | ----------------------- | | Arbitrum | -1019.5773172653946 | -1219,437.4393634812 | 2812279.602639645 | 1562.257355379698820370 | 1544.692200000000000000 | | Optimism | -29.7882464040731 | -1153,985.5335791681 | 1200945.0653913883 | 1576.444990256261046630 | 1545.200000000000000000 | | Total | -1049.3655636694677 | -2373,422.9729426494 | 4013224.668031033 | | | ## Liquidations - Optimism | Address | Repay USX | Seize wstETHCRV-gauge | |:--------------------------------------------------- | -------------------------- | -----------------------:| | 0x53c59365183cc86bd842150ba8d88cc2da5d7b28 (hacker) | 1275000.000000000000000000 | 2159.945510257616270965 | | 0x916792f7734089470de27297903bed8a4630b26d | 75009.434370356117183281 | 127.071600780560018180 | | 0xe2d54c3d2e9b3914e8ff88eab605d4b0efe22265 | 25002.544247825929330456 | 42.356182896556082770 | | 0x9035b69186fca1a9a43d6d5aab62822ed666e6e0 | 21002.487802649848424038 | 35.579787634175599054 | - Arbitrum | Address | Repay USX | Seize wstETHCRV-gauge | |:--------------------------------------------------- | ------------------------- | -----------------------:| | 0x53c59365183cc86bd842150ba8d88cc2da5d7b28 (hacker) | 560525.526525080924601515 | 1904.761904761904761904 | | 0x916792f7734089470de27297903bed8a4630b26d | 300037.034111437845493368 | 1019.577317265394873995 | ## Account states - Optimism | Address | vwstETHCRV-gauge before | vwstETHCRV-gauge after | USX Borrowed before | USX Borrowed after | | :-------------------------------------------------- | ----------------------: | ---------------------: | ------------------------: | -------------------------: | | 0x53c59365183cc86bd842150ba8d88cc2da5d7b28 (hacker) | 0 | 175.219324907218893870 | 0 | 1275000.000000000000000000 | | 0x916792f7734089470de27297903bed8a4630b26d | 312.116679017349629067 | 185.045078236789610887 | 150000.000000000000000000 | 75009.434370356117183281 | | 0xe2d54c3d2e9b3914e8ff88eab605d4b0efe22265 | 84.478499756417623800 | 42.122316859861541030 | 50000.000000000000000000 | 25002.544247825929330457 | | 0x9035b69186fca1a9a43d6d5aab62822ed666e6e0 | 45.193119189010750793 | 9.613331554835151739 | 42000.000000000000000000 | 21002.487802649848424039 | | 0x09fa38eba245bb68354b8950fa2fe71f02863393 | 1.079191992678870695 | 1.079191992678870695 | 500.000000000000000000 | 500.000000000000000000 | - Arbitrum | Address | vwstETHCRV-gauge before | vwstETHCRV-gauge after | USX Borrowed before | USX Borrowed after | | :-------------------------------------------------- | ----------------------: | ---------------------: | ------------------------: | -------------------------: | | 0x53c59365183cc86bd842150ba8d88cc2da5d7b28 (hacker) | 0 | 0 | 0 | 1519474.473474919075398485 | | 0x916792f7734089470de27297903bed8a4630b26d | 1048.367124034987826551 | 28.789806769592952556 | 600000.000000000000000000 | 300037.034111437845493369 | | 0x47bc4b286e8186f8e9f155da7136a050444849c9 | 0.000000694541467969 | 0.000000694541467969 | 0.00076112568184189 | 0.00076112568184189 |