September 23, 2021
Decentralized Finance (DeFi) attacks continue to occur at an accelerated rate in 2021. Within the last two weeks, at least two targeted attacks against protocols operating on the smart contract platform Avalanche have resulted in almost $40 million in losses. On September 20, 2021, Vee Finance (VF) officially announced its smart contract platform was attacked with an estimated loss of $35 million.
According to VF, the stolen funds were swept to address 0xeeeE458C3a5eaAfcFd68681D405FB55Ef80595BA (95ba). TRM's blockchain intelligence (BLOCKINT) platform identified that eight minutes prior to the exploit, 95ba was funded with approximately 27 Ethereum (ETH) from the mixing service Tornado Cash. Within the first 24 hours of the attack, only two out-going transactions totaling approximately 27 ETH were withdrawn from the attacker wallet.
To swap the 27 ETH for 27 Wrapped Ethereum (WETH), the VF attacker utilized the 0x DeFi protocol. That stolen WETH was then sent to Avalanche. This post-exploit on-chain movement mirrors the flow of funds in the Zabu Finance attack. Given the on-chain similarities, it is possible that both Avalanche smart contract projects were targeted by the same individual, or a copy cat using almost identical tactics. For example:
- Both attacks used the 0x DeFi protocol.
- Both attacks swapped ETH for WETH.
- Both attacks sent WETH directly to Avalanche after the swap.
- Both attacks interacted with the Tornado Cash mixing service.
Cross-chain swap to Bitcoin
As of September 23, 2021, the attacker converted approximately 213 of the stolen ETH to Bitcoin (BTC) through ParaSwap, Curve.fi, and Ren Project services. TRM's BLOCKINT platform enabled the view of all funds re-emerging on the Bitcoin chain.” The attacker has begun moving at least some of the swapped BTC; as of 09:39 EST, the 13.479 BTC had been split in a pair of transactions. The ultimate destination of these funds remains unclear. TRM continues to monitor the flow of attacker funds and will continue to support law enforcement and private industry partners as necessary.
Vee Finance communicates via Ethereum transactions
When PolyNetwork announced its platform was exploited in August for over $600 million, the company began communicating with the attacker via ETH transactions. Over a period of almost two weeks, the negotiation occurred publicly between the attacker and PolyNetwork, resulting in the return of almost all of the stolen funds. The VF team appears to be taking a page out of the PolyNetwork playbook by attempting to negotiate a bug bounty with the attacker in the same way. At least two messages were sent via ETH transactions to the attacker. The attacker has yet to respond.
TRM Labs continues to monitor the flow of stolen funds from the Zabu Finance and Vee Finance exploits. For further information on how these updates may affect your platform as a TRM partner, or for more information about TRM, please contact us directly via firstname.lastname@example.org. To submit a lead to TRM Global Investigations, contact email@example.com.
Learn more about our tools for investigating illicit activity
Fill out the form to schedule a demo with our team.