defirisk.co
rubric v1.7.0

bEarnFi (BvaultsBank): Logic bug — token denomination mismatch between vault and strategy layers

A $18M denomination mismatch between bEarn's bank and strategy contracts let an attacker use a flash loan to withdraw more than deposited in an iterative loop.

Occurred 2021-05-16 Loss $18M Status closed

Summary #

bEarnFi (BvaultsBank) suffered a Yield Aggregator / Vault on 2021-05-16, resulting in a loss of approximately $18M.

What happened #

A $18M denomination mismatch between bEarn's bank and strategy contracts let an attacker use a flash loan to withdraw more than deposited in an iterative loop.

Linked factors #

  • RD-F-001 — causal : ★ Direct: Audit scope mismatch (report commit ≠ deployed bytecode) [via cross-hack: Factor 1: Audit Scope Mismatch]
  • RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited code]
  • RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded: Unknown — rekt report does not specify recent deployment] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded: Unknown — rekt report does not specify recent deployment]
  • RD-F-007 — causal : Direct: bug bounty presence + max payout [via cross-hack: Factor 9: No Bug Bounty Program] || Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown — not mentioned in report]
  • RD-F-050 — causal : Dependency graph [via cross-hack: Factor 6: Cross-Protocol / Composability Complexity]
  • RD-F-052 — related : Breakage analysis [via cross-hack: Factor 6: Cross-Protocol / Composability Complexity]
  • RD-F-061 — causal : Protocol trusts LP token balanceOf for pricing [via cross-hack: Factor 11: Multi-Layer Vault/Strategy Architecture With Cross-Token Accounting]
  • RD-F-074 — related : ERC-4626 virtual-share offset [via cross-hack: Factor 11: Multi-Layer Vault/Strategy Architecture With Cross-Token Accounting]
  • RD-F-100 — illustrative : Flash loan > $10M origination — RT signal [via realtime_signals/Unusual borrowing: Y — large flash loan from CREAM ($7.8M BUSD) as exploit initiator]
  • RD-F-111 — causal : Team doxx status — pseudonymous-no-track-record class [via dashboard_risk_factors/Team anonymity: Anonymous]
  • RD-F-126 — causal : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked: Y — described as "copied code" from other BSC protocols; typical BSC fork pattern]
  • RD-F-146 — related : New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded: Unknown — rekt report does not specify recent deployment]