Extending the thought on the possible logic of the Venus Protocol attack:
Security experts say that it was the large holders who were phished. The common understanding is that if they had taken the private keys, they could have withdrawn directly. How could there be a flash loan?
It is highly likely that the hacker obtained the updateDeleGate authorization through social engineering, gaining access to the account operation permissions of large holders. However, there was no immediate liquidity to withdraw. In simple terms, the hacker gained the permissions, but the large holders only had collateral, and the borrowed money was not there. The hacker needs to find a way to obtain the collateral from the large holders.
Is it the issue of individual large holders being phished, which has nothing to do with the Venus contract? As mentioned earlier, if hackers find that large holders have no liquidity in their accounts, they should normally be wasting their efforts. But why can they withdraw collateral through a simple flash loan attack? The answer lies in the mechanism of the Venus contract; hackers may use flash loans and a series of exchange rate differences in the vToken cross-platform mechanism to help large holders repay their debts and withdraw collateral, and even take out an additional portion.
In simple terms, it is true that the collateral of the large holder was stolen, but it is very likely to become bad debt for the Venus contract platform, unless the large holder is foolish enough to pay the platform back.
Other users' funds are temporarily safe, but the liability issues for the Venus platform could be significant. Although the trigger for this attack was a large holder being phished by social engineering, it ultimately resulted in a successful profit, and the $30 million stolen will likely become a bad debt for the Venus platform. Coupled with the temporary panic of a run on the bank, its impact is enough for Venus to drink a pot.
But the greater impact is that this event has stirred up terrifying memories for everyone regarding Venus's "habitual attacks," such as the manipulation of XVS prices and its degradation into a money laundering tool for BNB's cross-chain bridge, all of which are injuries caused by fundamental flaws in Venus's security engineering. As the largest lending protocol on BSC, such a situation is likely unacceptable. Note: The above content is based on normal logical deductions from currently disclosed information, and the specifics should be based on the details actually disclosed.
This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.
Venus Protocol 'Habitual Loss': Security Mechanism Defect or Ecological Original Sin?
Written by: on-chain View
Extending the thought on the possible logic of the Venus Protocol attack:
It is highly likely that the hacker obtained the updateDeleGate authorization through social engineering, gaining access to the account operation permissions of large holders. However, there was no immediate liquidity to withdraw. In simple terms, the hacker gained the permissions, but the large holders only had collateral, and the borrowed money was not there. The hacker needs to find a way to obtain the collateral from the large holders.
In simple terms, it is true that the collateral of the large holder was stolen, but it is very likely to become bad debt for the Venus contract platform, unless the large holder is foolish enough to pay the platform back.
But the greater impact is that this event has stirred up terrifying memories for everyone regarding Venus's "habitual attacks," such as the manipulation of XVS prices and its degradation into a money laundering tool for BNB's cross-chain bridge, all of which are injuries caused by fundamental flaws in Venus's security engineering. As the largest lending protocol on BSC, such a situation is likely unacceptable. Note: The above content is based on normal logical deductions from currently disclosed information, and the specifics should be based on the details actually disclosed.