Vee and Zabu Finance Exploits: Two Uncannily Similar Attacks

TRM InsightsTRM Investigations
Vee and Zabu Finance Exploits: Two Uncannily Similar Attacks

Decentralized Finance (DeFi) attacks continue to occur at an accelerated rate in 2021. Within the last two weeks, at least two targeted attacks against protocols operating on the smart contract platform Avalanche have resulted in almost $40 million in losses. On September 20, 2021, Vee Finance (VF) officially announced its smart contract platform was attacked with an estimated loss of $35 million.

According to VF, the stolen funds were swept to address 0xeeeE458C3a5eaAfcFd68681D405FB55Ef80595BA (95ba). TRM's blockchain intelligence (BLOCKINT) platform identified that eight minutes prior to the exploit, 95ba was funded with approximately 27 Ethereum (ETH) from the mixing service Tornado Cash. Within the first 24 hours of the attack, only two out-going transactions totaling approximately 27 ETH were  withdrawn from the attacker wallet.

To swap the 27 ETH for 27 Wrapped Ethereum (WETH), the VF attacker utilized the 0x DeFi protocol. That stolen WETH was then sent to Avalanche. This post-exploit on-chain movement mirrors the flow of funds in the Zabu Finance attack. Given the on-chain similarities, it is possible that both Avalanche smart contract projects were targeted by the same individual, or a copy cat using almost identical tactics. For example:

  1. Both attacks used the 0x DeFi protocol.
  2. Both attacks swapped ETH for WETH.
  3. Both attacks sent WETH directly to Avalanche after the swap.
  4. Both attacks interacted with the Tornado Cash mixing service.

The above graph is a side by side view of Zabu Finance and Vee Finance Attacker flows

Cross-chain swap to Bitcoin

As of September 23, 2021, the attacker converted approximately 213 of the stolen ETH to Bitcoin (BTC) through ParaSwap,, and Ren Project services. TRM's BLOCKINT platform enabled the view of all funds re-emerging on the Bitcoin chain.” The attacker has begun moving at least some of the swapped BTC; as of 09:39 EST, the 13.479 BTC had been split in a pair of transactions. The ultimate destination of these funds remains unclear. TRM continues to monitor the flow of attacker funds and will continue to support law enforcement and private industry partners as necessary.

Vee Finance communicates via Ethereum transactions

When PolyNetwork announced its platform was exploited in August for over $600 million, the company began communicating with the attacker via ETH transactions. Over a period of almost two weeks, the negotiation occurred publicly between the attacker and PolyNetwork, resulting in the return of almost all of the stolen funds. The VF team appears to be taking a page out of the PolyNetwork playbook by attempting to negotiate a bug bounty with the attacker in the same way. At least two messages were sent via ETH transactions to the attacker. The attacker has yet to respond.

The above screenshot is a message sent directly to the Vee Finance exploiter address

The above screenshot is a message sent directly to the Vee Finance exploiter address

TRM Labs continues to monitor the flow of stolen funds from the Zabu Finance and Vee Finance exploits. For further information on how these updates may affect your platform as a TRM partner, or for more information about TRM, please contact us directly via To submit a lead to TRM Global Investigations, contact

This is some text inside of a div block.
Subscribe and stay up to date with our insights

Access our coverage of TRON, Solana and 23 other blockchains

Fill out the form to speak with our team about investigative professional services.

Services of interest
Transaction Monitoring/Wallet Screening
Training Services
Training Services
By clicking the button below, you agree to the TRM Labs Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.