The Great Arbitrage, the Great Curve Escape Thanks to the Great Whitehat
And how to prevent future malicious arbitrages using similar approaches.
The Vyper’s vulnerability derived an arbitrage with a $5.4M profit, topping 2022’s over $3.2M back-run. The searcher has an insight that after the reentrancy attack, there could be a massive discrepancy between the exploited contract's internal accounting status and the real remaining balances.
However, the searcher, c0ffeebabe.eth, who managed this, did not take the proceeds away. In fact, this guy did a wonderful job protecting the assets of CurveFinance from other arbitrageurs who would not do the same thing for public goods. Meanwhile, it's super important to understand the attacking vector here to prevent future malicious attacks.
Here is the key takeaway. This tx, https://bit.ly/3YcrOUH, is an arbitrage trading that utilizes the Vyper-based Curve CRV/WETH pool's significant price deviation from the market price, in this case, a UniswapV3Pool. The deviation was triggered by the whitehat's 30K $CRV transfer, which caused the updating of the CRV/WETH pool's parameters.
The price changes of the two pools involved before and after the transaction are shown in the following table:
Now let's walk thru the tx step by step.
Step 0: Borrow 100 WETH from Balancer Vault using Flash Loan.
Step 1, Step 11, Step 12: Perform self-transfer of WETH to the specified address.
Step 2-3: Sell 70 WETH on UniswapV3Pool to obtain 190,388 CRV at an average exchange rate of 2719 CRV/WETH.
Step 4-5: Directly transfer and trigger claim_admin_fees operation by sending in 30,000 CRV to Vyper_contract. This operation will update parameters such as pool balance and total supply.
Step 6-9: Call the exchange method of Vyper_contract to convert and exchange a total of 160,388 CRV for approximately ETH equivalent to be converted back into WETH at an average exchange rate of approximately 54.375 CRV/WETH.
Step 10: Internal process within the exchange method triggers another claim_admin_fees operation.
Step 13: Return the borrowed amount of 100WETH through Flash Loan.
Step 14-16: Convert the remaining 2879WETH into ETH and send it back to the 'from' address.
Step 5, claim_admin_fees operation, is crucial. Due to the exploitation of Vyper-related contracts, there has been a significant deviation between the actual balances of the pool created using Vyper and their internal accounting values. The purpose of claim_admin_fees() is to align the internal accounting amount with the actual balance, similar to Uniswap V2's skim() method
By simulating execution, we find that without executing claim_admin_fees() before calling exchange() for conversion, according to the internal accounting of this contract, 190,388 CRV can only swap for 9.337 ETH at an average price of 20390 CRV/ETH. The valuation of CRV is much lower than what actually occurs in arbitrage trading.
However, after executing claim_admin_fees() before calling exchange(), based on the actual balances of this pool, the exchange rate becomes very favorable for Searcher.
In Step 4, directly transferring 30000 CRV to Vyper_contract is a prerequisite for successfully calling claim_admin_fees(). If the value is significantly less than 30000 (e.g., 25000), a rollback will occur during the claiming process.
The arbitrage profit of 2879 ETH ($5,364,863) all flowed into the address c0ffeebabe.eth's pocket, without paying a priority fee or builder tip to the builder, and paid a base fee of approximately $32.3. After nearly two hours, c0ffeebabe.eth transferred the transaction proceeds to Curve.fi: Deployer.
In essence, this arbitrage is not something that anyone can easily do. The whitehat understands the intricate operations within smart contracts.
That being said, there are still questions that remain unanswered, such as: why did the "to" address transfer to itself 3 times? And what's the connection between this tx and other large amount arbitrages?
Please leave your comments and stay tuned for more research from EigenPhi.
P.S.: you can find more info about the whitehat's bot:
https://eigenphi.io/mev/ethereum/contract/0x7c28E0977F72c5D08D5e1Ac7D52a34db378282B3
Follow us via these to dig more hidden wisdom of DeFi:
Website | Discord | Twitter | YouTube | Substack | Medium | Telegram | EigenTx