Bent Finance: Insider Contract Manipulation (Malicious Balance Adjustment)
A Bent Finance insider silently manipulated smart contract reward balances on November 30 to award themselves ~$1.75M in fraudulent yields — and wasn't caught for 21 days until a DeBank listing accidentally exposed the absurd pending rewards.
Summary #
Bent Finance suffered a Yield Aggregator / Curve Staking & Farming on 2021-12-21, resulting in a loss of approximately $2M.
What happened #
A Bent Finance insider silently manipulated smart contract reward balances on November 30 to award themselves ~$1.75M in fraudulent yields — and wasn't caught for 21 days until a DeBank listing accidentally exposed the absurd pending rewards.
Linked factors #
- RD-F-006 — causal : Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — cvxCRV contract was updated on Nov 30 (the update that enabled the exploit)]
- RD-F-027 — causal : ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action (Y/N): Y — the exploit *was* an admin action (manual balance manipulation via contract update)]
- RD-F-101 — illustrative : Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — the exploit *was* an admin action (manual balance manipulation via contract update)]
- RD-F-111 — causal : Team doxx status — pseudonymous-no-track-record class [via dashboard_risk_factors/Team anonymity: Anonymous / pseudonymous]