Vow: $1.2M Exploit Causes 80% Token Plunge

In partnership with

In partnership with

TL;DR

Vow's token suffered a $1.2 million exploit due to inadequate validation in its smart contract, allowing unauthorized rate manipulation. This breach led to an 80% drop in VOW's price. The attacker exploited a leaked private key and manipulated the rate using a bot, resulting in a significant market impact.

Make Sure This Hack Doesn’t Happen To You 🫵

Subscribe to Blockbasis and get access to our premium scanner to check whether your the funds in your wallet is safeguarded from hacks 🔐

For a limited period only, you can get a 7 day FREE trial!

All for just $50/month after the trial.
Don't miss out! Grab your FREE trial today 👇

Vow, a decentralized platform specializing in discount voucher issuance, was hit by a significant exploit resulting in the loss of $1.2 million.

According to a report from blockchain security firm CertiK, the incident occurred on August 13, 2024, during a testing phase, triggering a dramatic 80% decline in the value of Vow’s native token, VOW.

The breach has raised concerns within the crypto community, highlighting vulnerabilities even in well-established protocols.

The exploit was linked to a brief test of Vow’s rate setter function. Per Vow’s post on X, the testing involved changing the conversion rate from 1:1 to 1:100 for vUSD received per VOW token.

This test lasted between 15 to 30 seconds before the rate was reverted to its normal setting.

During this brief period, a bot took advantage of the rate change, acquiring 20 million VOW tokens valued at $6.6 million.

The attacker then swapped these tokens for 452 ETH on Uniswap V2, which was worth approximately $1.23 million at the time of the exploit.

The exploit had an immediate effect on the VOW token’s market performance. Within 24 hours, VOW’s value plummeted by 80%, dropping to $0.06, with its market cap shrinking to $41 million.

In response to the crisis, Vow implemented a fix by increasing the token burn rate to 50%. This measure aims to reduce the circulating supply and stabilize the token’s value.

Despite these efforts, the attack has left lasting damage to investor confidence.

On-chain data reveals that the attacker did not create a new wallet to carry out the exploit. Instead, the address involved had previously interacted with Tornado Cash, a popular cryptocurrency mixer, on April 23, 2024.

This activity suggests that the attack may have been premeditated. The exploiter still holds the ETH obtained from Uniswap, as verified by Etherscan.

The exploit stemmed from two critical vulnerabilities in the Vow platform:

1. Lack of Validation: The setUSDRate function in Vow's smart contract was inadequately validated, allowing the attacker to change the conversion rate without restrictions.

2. Absence of Rate Change Mechanism: There was no system to track or delay rate changes, facilitating the exploit's execution without detection.

Sponsored by Polymarket

Don’t trust the polls, trust the markets.

The largest US elections prediction market ever. Polymarket offers the most accurate and unbiased election forecasts. Traders on Polymarket predicted Biden dropping out, Kamala Harris’ nomination, VP running mates, and other real-world events. For real-time, data-driven insights on the 2024 election, trust the market.

See the latest odds

Attack Process

The attack began with the leakage of the private key for the usdRateSetter associated with the VOW token. This compromised key provided unauthorized access, enabling the attacker to manipulate the rate settings of the token.

On-Chain Attack Details

Further investigation into the attack revealed the following on-chain details:

• Attacker Address 1: 0x48de6bF9e301946b0a32b053804c61DC5f00c0c3

• Attacker Address 2: 0xbA1be907f532Ff6bb0088279e0f3DCDdD693aC7c

• Attack Contract: 0xB7F221e373e3F44409F91C233477ec2859261758

• Vulnerable Contract: 0x1BBf25e71EC48B84d773809B4bA55B6F4bE946Fb

• Attack Transaction: 0x758efef41e60c0f218682e2fa027c54d8b67029d193dd7277d6a881a24b9a561

The attacker utilized these addresses and contracts to carry out the exploit, further raising questions about the platform’s security protocols.

The incident led to a 1,400% surge in VOW’s daily trading volume, which reached $12 million, reflecting heightened market volatility. This exploit is part of a broader trend of rising crypto breaches.

A report from Crystal Intelligence in June 2024 estimated that the crypto industry has lost nearly $20 billion to hackers and scammers since 2011.

In Q2 2024 alone, 72 incidents resulted in $572.7 million in losses, underlining the persistent security challenges facing the sector.

The Vow exploit underscores the need for heightened security and rigorous testing within decentralized platforms.

As the crypto industry continues to evolve, incidents like these highlight the importance of safeguarding protocols, even during routine updates and tests.

The Vow team’s swift response to mitigate damage through an increased burn rate is a critical step, but the long-term impact on the token’s reputation and investor trust remains to be seen.

Sponsored by ELEKS

Get software delivered with financial guarantees, focusing on your goals

With ELEKS' product-oriented delivery, we guarantee that your software vision is realised in a superior solution implemented within your timeline or budget constraints. We prioritise your success and focus on maximising your product's business value.

Our team provides industry-leading expertise across your entire SDLC and takes full responsibility for the implementation roadmap, budget, quality metrics, and process setup, ensuring your strategic goals are achieved.

Schedule your consultation