Vicuna Finance Post Mortem: Anatomy of a $700K Oracle Attack

March 28, 2025MEV/BEVAuthor: D23E Team

Summary

Vicuna Finance is a decentralized lending protocol deployed on the Sonic chain. On March 28, 2025, the protocol was targeted by an oracle manipulation attack that exploited a mispricing mechanism in a newly launched market using Beets LP tokens as collateral. The attacker manipulated the token ratio within the LP to artificially inflate its value, enabling excessive borrowing against the overpriced LP tokens.

As a result, two side markets — the $S market and the stablecoin market — were drained, leading to an estimated total loss of approximately $700K.

Timeline

Below we list the timeline of this exploit:

  • Mar-27-2025 02:35:55 PM UTC

    The attacker's address 0xBF43...65FE receives 39.03 $S from the previous Vicuna Finance exploiter (Previous Vicuna Finance Exploit).

  • Mar-27-2025 05:28:27 PM UTC

    The Beets $S-stS LP market is deployed at 0x83Dd...8e44.

  • Mar-27-2025 05:36:19 PM UTC

    The Beets USDC-scUSD LP market is deployed at 0x5B02...3048. After the introduction of these markets, the protocol becomes vulnerable to attack.

  • Mar-28-2025 11:52:15 AM UTC

    The attacker executes the exploit via transaction 0x79e1...e265.

  • Mar-28-2025 11:58:23 AM UTC

    The attacker completes token swaps, converting the illicit profits into $S, the native gas token.

  • Mar-28-2025 12:01:09 PM UTC

    The attacker bridges 81,944.3 $S to the Base chain using Debridge.

  • Mar-28-2025 12:08:11 PM UTC

    367.9 ETH is bridged from the Base chain to Ethereum via Debridge to the address 0xad22...eff3, where the attacker appears to store the profits.

  • Mar-28-2025 01:03:25 PM UTC

    Admin actions are taken to pause the affected markets through transactions 0x1316...baa0 and 0x853f...0c99.

    • Root Cause Analysis

    The LP token was priced based on the sum of the values of its underlying assets:

    price_lp = price_token1 * amount_token1 + price_token0 * amount_token0
    Oracle code used to price LP tokens in Vicuna Finance.

    Figure 1: Oracle code used to price LP tokens in Vicuna Finance.

    This method fails to consider the invariant-based valuation (also known as fair pricing) that protects against manipulation. The attacker exploited this by drastically altering the token balances in the pool, temporarily inflating the oracle-reported LP value. This enabled them to over-borrow against the collateral and later restore the pool's balance, leaving the protocol with bad debt.

    The full exploit sequence in each market was as follows:

    1. Manipulate pool ratio: Perform a large swap from token0 to token1, artificially inflating the LP token's oracle price.
    2. Deposit collateral: Deposit the overvalued LP tokens as collateral.
    3. Borrow funds: Borrow assets against the inflated LP collateral.
    4. Reverse swap: Swap token1 back to token0, deflating the LP price and creating bad debt.

    Next Steps

    Vicuna Finance is actively working with leading Web3 security firms, including Decentralized Intelligence (@d23e_AG), to trace the attacker's funds and explore potential recovery options.

    Improving Security

    Looking forward, the Vicuna team is committed to prioritizing security by conducting additional audits, integrating advanced on-chain monitoring systems, and adopting more robust oracle designs to prevent similar vulnerabilities.

    Back to Research