DeFi platform ‘bEarn Fi’ promises 105% compensation after $10 million hack, but is it the right thing?
An exploit allowed a malicious user to continuously withdraw more funds than they deposited, ultimately draining bEarn's BUSD vault dry.
Cross-chain decentralized finance (DeFi) yield farming platform bEarn Fi fell victim to an exploit in its smart contract on Sunday, allowing a malicious user to siphon $10.85 million worth of Binance USD (BUSD) stablecoins from one of its vaults.
“Dear community, we have been hard at work investigating the situation. We have published details regarding the Alpaca BUSD exploit that happened,” bEarn tweeted today.
?bVaults' BUSD Alpaca Strategy Exploit Post-Mortem & Compensation Plan?
▪️Dear community, We have been hard at work investigating the situation.
▪️We have published details regarding the Alpaca BUSD exploit that happened on in the following article:https://t.co/QbPOx6jODp pic.twitter.com/qVHuAeh7tX— bEarn Fi (@BearnFi) May 16, 2021
Per the project’s “post mortem” announcement, the attacker used a flaw in bEarn’s so-termed “BUSD Alpaca strategy” vault.
“The incident was due to the improper implementation of the function withdraw (address, uint256 wantAmount). We passed the method withdraw from FairLaunch contract with BUSD amount while we should have used ibBUSD amount instead,” the developers explained.
Basically, the exploit allowed the attacker to continuously deposit and withdraw BUSD from the vault, each time receiving more coins than they initially deposited. To conduct their attack, the user first took out a $7.8 million BUSD loan from Cream Finance—another DeFi platform—and proceeded to bombard bEarn’s vault with a constant stream of in/out transactions.
Ultimately, it took the attacker a total of 26 transactions to drain out the estimated $10.85 million in BUSD.
Alpaca compensation plan
To remedy the situation, bEarn developers have promised to reimburse all users that were affected by the exploit—and then some.
“We will create a compensation fund which will consist of a combination of the remaining saved funds, Dev Fund, DAO Fund and a portion of fees generated by the protocol. Plan details are being worked on,” bEarn reassured its users.
While the developers are currently waiting for the balance snapshot to deploy the compensation contract, they published a draft plan for the time being. According to it, users will ultimately receive 105% of their losses in various tokens.
Namely, 87.5% of initial deposits’ amount in BUSD and 7.5% in BDOv2 will be given out immediately. Additionally, 10% of the affected users’ deposits will be compensated in BDEX tokens—although they will be available only 80 weeks from now due to the ongoing vesting process.
Distorted perception of risk
While bEarn customers were definitely happy to hear the news, some pointed out that the immediacy of compensations after a hack may create a “distorted perception of risk” for DeFi users and devalue insurance protocols.
“Promising a full compensation just a few hours after a hack seems to become a common theme. It creates a distorted perception of risk for the users and hurts the adoption of insurance protocols. DeFi has grown far past the value where these expectations hold true,” argued pseudonymous Banteg, a core developer at Yearn.Finance.