Beefy.Finance Incident Report: Autofarm and Belt issue

This post was originally published here

Short Summary

Several Yield Optimizer vaults were affected by a Venus improvement proposal implementation.

Beefy acted accordingly by taking the funds from the strategy the day before preventing the leak of funds on our own Venus vaults.

We had people watching the code behavior during the Venus implementation that allowed us to act quickly. Before any communication from those teams, safety measures were executed on our side once the funds started to leak value on Autofarm and Belt.

Given the lack of safety mechanisms of the smart contracts on those platforms, they still can’t withdraw the funds and the leak is ongoing.

There are reasons to believe a bad actor could take advantage of Autofarm’s impacted vaults. We need to amplify this urgency so that everyone withdraws from them as soon as possible in order to secure their funds.

Beefy users still have to take action on Belt vaults, this is time sensitive.

biswap

Timeline of Events

On April 16 Venus created a proposal in which they introduced VAI liquidation, VAI mint fee and vToken Redeem fees for stabilization markets.

Beefy developers identified this as a potential issue on April 17 as we have been monitoring Venus updates closely.

We were aware of these changes, knowing that with the new Venus implementation would lose 0.01% on the leverage process. We proceeded to upgrade the strategies on our Venus vaults in order to avoid a loss of funds for users on April 19.

The Venus proposal passed and the implementation was queued. On April 20, Venus executed their proposal with its planned fee upgrade.

However, some yield optimization platforms did not upgrade their vaults. The changes led to a loss of funds for DeFi users who had staked their assets directly on Autofarm’s Venus Vaults and Belt Finance’s Stable coin vault.

Given the current implementation, the vaults lose the fee implemented by Venus whenever a withdrawal is executed. A percentage of each users staked amount is lost every time someone withdraws.

As soon as we found this out, and before any communication from other Yield Optimizers affected by the bug, our devs execute the Panic() function available in all of our vaults to automatically remove all staked tokens from the affected Autofarm contracts back to Beefy vaults. This saved users funds from being drained further.

The lack of security measures in other Yield Optimizer’s code, did not allow them to execute an emergency withdrawal, causing a cascade of funds leak which is still ongoing.

The following vaults on Beefy.Finance were affected:

What should I do if I am using Beefy’s Belt stable coin vault?

If you used the BELT BLP stable coin vault on Beefy and you haven’t yet withdrawn your tokens from Beefy and then converted the LP token to a single stable coin on the Belt platform, then your funds are still at risk. We recommend you withdraw them from both Beefy.Finance and Belt.fi immediately.

The action is time sensitive because our Panic() method for this vault is only able to disable BELT token compounding, the Venus earnings are handled by Belt, and they are still not fixed.

You should withdraw from the Beefy vault, and then go to beltfi.com and convert your LP to an individual stable coin. In case the tx fails, try with other stable coin. At the moment of writing DAI and USDT are working.

If you wish to continue earning interest on your stable coins, then you can add them to Ellipsis.fi and stake your LP tokens safely on the corresponding Beefy Finance vault.

What to do if I am using one of Beefy’s Auto (Venus) Vaults?

If you have assets staked in any of Beefy Finance’s Venus (Auto) vaults there’s no risk of loss. Your tokens are now stored idle in the Beefy contracts, which means they are currently not earning interest.

Why didn’t Beefy fix this issue pre-emptively?

The upgrade to Venus Smart Contracts was approved Apr 18.

An upgraded strategy was in development, but the complete implementation and testing cycle takes a few days. We mitigated the impact by withdrawing funds from the platform before the upgrade.

From our code review:

This is the old comptroller

https://bscscan.com/address/0x8008a0897Eb2dF2C078034cA638B8f0c0a6aDE3b#code

This is the new comptroller

https://bscscan.com/address/0xBA469fbA7ea40D237B92bF30625513700f0afa47#code

Line 694 of the vtoken.sol file is where Venus added the fee.

Due to the recent Certik audit for Autofarm, and their statements that their Venus V2 contracts would be able to handle this new Venus fee, we assumed Autofarm’s V2 would also protect user’s funds.

Autofarm never talked directly to Beefy about their V2 strategies. Information about their reaction to the changes was collected from their communication with Autofarm users via Telegram and Discord.

One of the Beefy Mods talked directly with the Belt team in the last few days. Belt confirmed to him that their contracts would be able to handle the new Venus fee. Unfortunately, this wasn’t accurate.

Going Forward

Beefy welcomes today’s proposal from Venus to regularly communicate and discuss the development issues. We’re looking forward to being in touch with Venus to see how we can contribute.

Final Comments

We have been repeatedly disappointed by Autofarm’s lack of transparency and misrepresentation, and strongly urge them to improve their communication for the benefit of the BSC community.

We called this out in our first Incident Report. Today it’s just an echo of the same attitude.

Even though Autofarm tweeted and communicated funds are safe, they are still leaking funds. There is also the potential that a bad actor could accelerate the leakage. This type of communication is doing DeFi and BSC a huge disservice. We look forward to helping all development teams raise the standards of security and safety for the growing community of DeFi users.


Beefy.Finance Incident Report: Autofarm and Belt issue was originally published in beefyfinance on Medium, where people are continuing the conversation by highlighting and responding to this story.

Leave a Comment