# Eleven.finance (BSC) - Burn, baby, burn! ## Summary **[Eleven.finance](https://eleven.finance)**, a yield aggregator on Binance Smart Chain (BSC) and Polygon (MATIC) was exploited for a total of est. $4,5M worth in user-deposited assets. Root cause was a function called `emergencyBurn()` in the intermediary vault used to track anySwap / Nerve-bridged assets nrvBTC, nrvETH and nrvFUSDT in the Eleven "MasterMind" farming contract. The attacker first took a Flashloan of each asset's underlying token balance in the "MasterMind" contract (Binance-pegged BTC, ETH and USDT) to convert these into *nrvBTC*, *nrvETH* and *nrvFUSDT* respectively. Nerve 3Pool and PancakeSwap BUSD - NRV liquidity provider positions were also affected. A **vulnerable function** `emergencyBurn()` in the intermediate vault contract **allowed the attacker to withdraw the deposited balance without having the withdrawal being accounted for internally.** As a result the attacker was able to not only remove his own deposit but the full balance of the same amount that had been in the vault before as well. The attacker had the nerves to use the Nerve bridge to transfer out 2,293 ETH in proceeds to the address `0xdb2d590aCe7cAe51DF1fB3312738038Ec032Bf33` on Ethereum. ### Steps - borrow underlying assets from PancakeSwap (Flash Swap) - convert amount (mint) to Nerve asset - deposit Nerve asset to "MasterMind" through intermediate vault - call `emergencyBurn()` on intermediate vault, transferring an amount equal to the previously deposited amount (equal to vault balance *before* attack) to the attacker - proceed with a regular withdrawal, transferring the previously deposited asset balance back to the attacker ### Funds lost - 30.75 BTCB for ~**$1.05M** from *nrvBTC* - 286 ETH - for ~**$561K** from *nrvETH* - 2.241M BUSD for ~**$2.241M** from *NRV 3Pool LP* - 0.647M BUSD for **$647K** from *NRV - BUSD LP*