Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Vesper is a DeFi platform that should work and make money for you. This money is called yield from using your DeFi in various places.

When the function rebalance() is called, it takes the underlying assets of a user and buys VSP. By doing this, the price of VSP is increased; VSP holders are entitled to a percentage of the yield based upon the use of the underlying asset produces. This is done by a Vesper's Rebalancing bot in order to distribute yield to holders through inflating the price of Vesper.

The function rebalance appears to have been callable by anyone and not just the bot. This is part of the where the problem lies.

An attacker could exploit the distribution function being callable by taking out a flash loan. First, an attacker would need to take out a loan in WETH and swap the WETH for VSP on Uniswap. Now, the pool has significantly more WETH than VSP, drastically inflating the price of VSP.

Call rebalance() manually. Now, the triggering of this call will perform a swap to get VSP. But, because of the inflated price from the flash loan, the swap gets a much smaller amount of VSP than it should. As a result, most of the WETH from the rebalance() goes back into the hands of the flash loaner even though they did not participate in the farming at all.

There is a cooldown period of the rebalance() call. So, this was not the most likely attack to occur. Additionally, they claim this attack would have been discovered through monitoring... but, I think that relying on this for security is a bad precedent to set.

To fix this vulnerability, the frequency of rebases called by the bot from sped up dramatically. By doing this, the cost of the flash loan and swap fee makes the attack no longer viable. If there's no profit, then there is not attack. It appears that the whitehat hacker got no funds from this.