bVaults’ BUSD Alpaca Strategy Exploit Post-Mortem and bEarn’s Compensation Plan

Dear Community,

Firstly, we must say that we deeply regret this incident and that we are sorry for any economic loss endured by our community members. We hope that the actions detailed within this article will help in this regard. We would like to thank our community for their understanding and the support shown to our ecosystem through every bump in the road. The commitment of our community is what motivates us to work harder every single day and so we hope our compensation plan will reflect this.

What actually happened ?

bVaults’ BUSD Alpaca strategy was exploited and drained 10,859,319 BUSD out of the pool, Incident started at 10:36:00 AM UTC, May 16, 2021. We want to let everybody know that only the single stake BUSD bVault using Alpaca as the source strategy was affected. Please be assured that the rest of our bVaults are not at risk, nor any other pools in our platform.

Why did it happen?

The incident was due to the improper implementation of the function withdraw(address, uint256 wantAmount): we passed the method withdraw from FairLaunch contract with BUSD amount while we should have used ibBUSD amount instead. Because of this, the strategy withdrew more BUSD than needed and the extra amount was used to deposit to FairLaunch subsequently, which increased the locked BUSD amount in the contract while there was no new deposit.

BvaultsStrategy.alpaca.busd.sol Line #205

How did it happen?

First attacking transaction (https://bscscan.com/tx/0x603b2bbe2a7d0877b22531735ff686a7caad866f6c0435c37b7b49e4bfd9a36c):

[1] Flash loan 7.8m BUSD on Cream

[2] Deposited and withdrew (with more BUSD) on bVaults. Repeated for 30 times

[3] Finally withdrew 8.26m BUSD. Repaid flash loan of 7.8m BUSD to Cream

There are a total of 26 attacking txs (https://bscscan.com/txs?a=0xef39f14213714001456e2e89eddbdf8c850c3be6) which finally drained out with the estimated of $10.86M

What Immediate actions did we take?

• Contacted Binance Authorities immediately to block the hacker(s) fund transfers
• Contacted Auditors (Certik, Peckshield) to analyze the incident and get feedback to protect the remaining fund
• We Made an immediate pause on all interactions for all bVaults. The reason for this is to ensure that all the remaining user funds stay secure and protect our community’s investments while giving us adequate time to evaluate the incident, this is also why most bVaults displayed zero balance in the UI for a certain period
• Called withdraw-all from the Alpaca farming pool back to the vault (this will be executed after 24h due to the Timelock for emergency)
• Created a Snapshot for every depositor’s balance before the attack to record and calculate exact compensation amounts.

Compensation Plan

We will create a compensation fund which will consist of a combination of the remaining saved funds, Dev Fund, DAO Fund and a portion of fees generated by the protocol. Plan details are being worked on, and while we are waiting for the balance snapshot to deploy the compensation contract, the draft plan is to help every affected user claim back their funds in the following manner:

• 87.5% of initial deposit amount in BUSD (immediately)
• 10% of initial deposit amount in BDEX (vesting token in 80 weeks, same as the core team)
• 7.5% of initial deposit amount in BDOv2 (immediately)

In summary, affected users will receive an extra 5% of their deposited amount.

Final Thoughts

We must take this moment to recapitulate all of our products. It is evident that with counterless attacks recently happening on many DeFi projects, going forward it is necessary to shift our focus from innovation in favor of increased security.

As a commitment to security and risk management, any and all new bVaults from today onwards will have a deposit limit cap implemented until a full audit is performed and passed upon the utilized strategy.

About bEarn Fi

bEarn Fi is a cross-chain product in Decentralized Finance (DeFi) that at its core provides yield generation, algorithmic stablecoin, gaming aggregation, cross-chain bridge, treasury, lending, DEX, yield calculator, lottery, NFTs, and governance on multi-chain: Binance Smart Chain blockchain (BSC) and Ethereum blockchain.

Follow bEarn Fi on Medium and other channels to not miss any updated news!

Telegram: https://t.me/Bearn_Fi

Discord: https://discord.gg/j2TRcSHRe3

Medium: https://medium.com/@bearn.defi

Twitter: https://twitter.com/bDollar_Fi

Twitter: https://twitter.com/BearnFi

Mail: contact@bearn.fi