Eleven Finance NRV Vault Exploit and loss of funds — A post mortem.

Eleven Finance
2 min readJun 24, 2021

--

Approximately 36 hours ago the Eleven Finance team was made aware of an exploit targeting it’s Nerve vaults this included the following:

3nrv
anybtc/btc
anyeth/eth
nrv/busd
bfusd (just unutilised funds in NRV vaults, not funds being lent)
nrvfusdt

This has resulted in a 100% loss of funds from these vaults, totalling around $4.5 million USD.

Upon analysis the cause of the exploit was developer oversight. The emergencyBurn() function not burning shares allowed the attacker to execute this attack.

It should be noted that this not new code, this has been present since the inception of these vaults, overlooked on code review and audits. No excuse for the oversight, simply stating the facts for transparency.

Additionally it is important to note that the strategies that act on these vaults have not been exploited.

Furthermore, prior to the exploit NRV vaults made up around 4% of our TVL. We have full faith in our remaining vaults and strategies and their integrity. They have continued to work as designed throughout.

As community members may be aware we have pending audits with Certik and Quill Audits, covering our vaults and leveraged yield farming platforms. We will take onboard any feedback from these and ensure robust auditing procedures for new products moving forward.

It goes without saying that we will be implementing further security measures to ensure such incidents are mitigated moving forward.

A notice to our Bigfoot.Eleven.Finance users

Bigfoot.eleven.finance has been taken down to ensure lenders won’t lend more funds to bfUSD, that bank with uses an affected NRV vault.

We are researching the potential to recover some number of funds from here.

As a result those with any open positions that on bigfoot, will have positions liquidated (with users receiving all funds and no liquidator fee).

BigfootBNB (bfBNB) is working and opening positions will be available when the platform is back live.

Summary

We as a team take full responsibility for the exploit and funds lost.

We will be developing a compensation plan and share more details regarding this in the coming week.

--

--