Update on Elephant Money Hack and Proposed Insurance Claim Plan
TL:DR:
- The Elephant Money hack caused an $11m loss, with details below.
- The InsurAce.io team proposes a compensation plan to smart contract insurance buyers on Elephant and seeks feedback from the community. Discussion channel on Discord: https://discord.gg/nfFC9YR2Qf
What Happened During This Incident?
Summary of the Hacking Incident
Elephant Money suffered an attack on April 12, 2022, 04:49:33 PM +UTC on its Reserve. This incident was due to flawed logic allowing for arbitrage between the PancakeSwap Liquidity Pool and the Elephant Reserve. The hacker used a flash loan to trade for thousands of ELEPHANT governance tokens while minting TRUNK stablecoin. During the mint stage, ELEPHANT token price was uplifted due to embedded buyback mechanics and liquidity depth was increased for both ELEPHANT and TRUNK tokens on PancakeSwap. The hacker then took a profit by selling the inflated ELEPHANT token on PancakeSwap and redeeming TRUNK tokens from the Reserve, extracting a large amount of BUSD and ELEPHANT tokens.
The total loss from this incident is estimated to be $11m as disclosed by the Elephant team in their official blog: https://medium.com/elephant-money/reserve-exploit-52fd36ccc7e8.
Detailed Analysis of the Hacking
This attack was implemented with this transaction:
https://bscscan.com/tx/0xec317deb2f3efdc1dbf7ed5d3902cdf2c33ae512151646383a8cf8cbcd3d4577
Below is a step-by-step breakdown provided by auditing firm PeckShield:
Hacker address H1: 0xbceda90b2880fea5d511d54716229145508996da
Elephant Reserve address C1: 0xd520a3b47e42a1063617a9b6273b206a07bdf834
Step 1: Attacker borrowed 131K WBNB and 91M BUSD using a flash loan.
Step 2: Swapped 131K WBNB to 37,972,517,886,502.22 ELEPHANT
Step 3: C1 minted TRUNK token with 91M BUSD
– Mint 90,124,650 TRUNK to H1
– Swap 22.5M BUSD to buyback 3,050,142,559,411.813 ELEPHANT from PancakeSwap
– Deposit 3,050,142,559,411.813 ELEPHANT to Treasury_af09
- Swap 250,000,000,000.0 ELEPHANT to 4956 WBNB
- Add Liquidity 250,000,000,000.0 ELEPHANT and 4956 WBNB on PancakeSwap
– Mint 910,407 TRUNK to C1
– Add Liquidity 910,407 TRUNK and 902,123 BUSD on PancakeSwap
Step 4: Swap 34,244,200,239,512.18 ELEPHANT to 163,782 WBNB (to profit from reverse swap)
Swap 45,000.0 TRUNK to 44,156 BUSD
Step 5: Redeem with 90M TRUNK
– Burn 90M TRUNK
– Withdraw 66.8M BUSD to H1, 64,450B ELEPHANT to H1
Step 6: Swap 140,806B ELEPHANT to 21,701 BNB and 28,268 WBNB to 12M BUSD.
An independent analysis was also conducted by auditing firm Blocksec: https://twitter.com/BlockSecTeam/status/1513966074357698563?s=20&t=MfMn1AHebxYvS7LJA6JD1A
InsurAce.io’s Response Measures
This incident was spotted by the security community and our team was notified immediately, prompting several actions from our end:
- Reaching out to the Elephant team to get more information on what was happening as we have direct contact with them, and helping investigate the root cause of the incident. This included a direct call with the Elephant founder and provided our advice as quoted in their blog section “update #10”: https://medium.com/elephant-money/reserve-exploit-52fd36ccc7e8
- Connecting auditing firm PeckShield to the Elephant team. PeckShield offered a code review and lost funds tracking support to the team with contingency cases.
- Publishing continuous updates to our community on the incident and keeping them aware as more details have been discovered.
- Convened advisory board to form preliminary opinions on claim eligibility and development of a proposal for community discussions.
As its partner, we hope to support the Elephant team, while keeping our community updated on the situation to bring peace of mind to all Elephant users.
As the situation has begun to stabilize and the Elephant team initiates its plans to resume protocol operations, we would like to provide our proposal on the insurance claim arrangements as below.
Proposed Insurance Compensation Plan from InsurAce.io
This attack has resulted in approximately $11M loss of funds in the Elephant Treasury causing the stablecoin TRUNK to lose its peg and, leaving users unable to fully redeem underlying collateral. The loss is due to flawed logic in the mint function of the Elephant Reserve smart contract; hence it is advised that this hack is deemed a claimable event according to the cover wording or our “smart contract vulnerability” cover wording:
https://files.insurace.io/public/en/cover/SmartContractCover_v2.0.pdf
Claim Eligibility
Based on current cover wording, the attack is advised as claimable for cover holders fulfilling the following criteria:
- Holding an active “Smart Contract Vulnerability” cover on Elephant Money before April 12, 2022 04:49:33 PM +UTC; and
- Has minted TRUNK in Elephant Reserve before April 12, 2022 04:49:33 PM +UTC; and
- Holding TRUNK at April 12, 2022 04:49:33 PM +UTC
Excluded Cases
- Loss caused by the price devaluation of ELEPHANT governance token is not covered.
- Funds participated in the Stampede module will not be eligible for a claim compensation.
these are explicitly stated in Cover Wording (Exclusion #4).
Loss Identification and Claimable Amount Calculation
InsurAce.io will compensate cover owners for the quantity of TRUNK held as of April 12, 2022 04:49:33 PM +UTC, which were originally minted from the Elephant Reserve with a value no more than the cover amount. Any additional quantity cover holders received as rewards for staking or purchased after the attack will not be counted. TRUNK in Stampede will not be covered for this case as it was not minted by cover holders from the Reserve.
Case #1: For insurance buyers who have already sold TRUNK after the attack, it is advised to compensate the price difference between $0.9933 (the 5-day time-weighted average price of TRUNK before the attack as referenced from price data on PancakeSwap) and the sold price. The claimable amount is thus:
Claimable Amount = Quantity of claimable TRUNK * (0.99 – Sold Price)
Case #2: For insurance buyers who have not sold their TRUNK, they are allowed to swap the quantity of TRUNK up to the claimable quantity to us within 15 days after the final claim plan announcement. TRUNK tokens sold after this final announcement is not claimable. It is advised to compensate the cover holder with a ratio of 1TRUNK = $0.99. A separate announcement regarding this process will be made thereafter. The claimable amount is:
Claimable Amount = Quantity of claimable TRUNK * 0.99
For example, if a cover holder had 1000.00 TRUNK tokens before the hack, and sold at $0.75 BUSD thereafter, their compensation will be:
1000.00 * (0.99 – 0.75) = 243.29 BUSD
Whereas if the cover holder didn’t sell TRUNK tokens after the hack, and holds it to date, then he/she can get compensated 1000.00 BUSD by exchanging 1000 TRUNK tokens to InsurAce.io.
Claim Request Submission and Processing
The claim request for this attack together with Proof of Loss must be submitted within 7 days after this announcement. Claims without sufficient Proof of Loss will be deemed invalid and rejected without proceeding to community voting.
For this particular attack, Proof of Loss could include, but is not limited to:
- transactions to prove the total amount of TRUNK minted; and/or
- snapshot of the impacted wallet address’s balance of \TRUNK in staking pool with display of wallet address and amount of deposits, rewards, withdrawn and rolled. ; and/or
- transactions to show the amount and value of TRUNK sold after the attack; and/or
- other evidence as deemed necessary;
All claims will be assessed and voted on by our Claim Assessors (token holders) following our claim process to decide which claims are paid on a case-by-case basis.
Read more about our Claim Assessment Process and How to Make a Claim
Community Discussion Channel
Given the complexity of this hacking incident and the sophistication of Elephant platform design, we seek for more discussions and feedback from community members, and cover holders on this case.
Here is a dedicated channel created on discord on this case, feel free to join and chat: https://discord.gg/nfFC9YR2Qf
The community will need to reach a consensus on this compensation plan before we proceed to the execution of the claim settlements.