Vee Finance: Pangolin spot price oracle manipulation via custom trading pairs + decimal handling bug
Vee Finance lost $34M when an attacker created custom Pangolin trading pairs to manipulate the spot prices Vee Finance used as its sole oracle, with a decimal handling bug silently disabling the protocol's own slippage protection.
Summary #
Vee Finance suffered a Lending / Leveraged Trading on 2021-09-21, resulting in a loss of approximately $34M.
What happened #
Vee Finance lost $34M when an attacker created custom Pangolin trading pairs to manipulate the spot prices Vee Finance used as its sole oracle, with a decimal handling bug silently disabling the protocol's own slippage protection.
Linked factors #
- RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown (team offered bug bounty to hacker post-attack)]
- RD-F-053 — causal : ★ Spot DEX pool oracle without TWAP — root cause [via realtime_signals/Oracle anomaly: Y — Pangolin spot prices manipulated via newly created low-liquidity pairs; observable if monitoring oracle price vs reference]
- RD-F-099 — illustrative : Oracle price deviation > X% from secondary source — RT signal would have fired [via realtime_signals/Oracle anomaly: Y — Pangolin spot prices manipulated via newly created low-liquidity pairs; observable if monitoring oracle price vs reference]
- RD-F-111 — causal : Team doxx status — pseudonymous-no-track-record class [via dashboard_risk_factors/Team anonymity: Unknown]
- RD-F-127 — related : Upstream Compound has patches that may not be merged here [via dashboard_risk_factors/Forked?: Partially — leveraged trading platform with Compound-style lending influences]