TRM Investigates: Belt Finance and Visor Finance Hacked

Key Findings

• Tornado Cash has been used in over 35 platform attacks to either fund exploit wallets or obfuscate movements of stolen crypto in 2021.
• The Bent Finance Attacker sent approximately 240 Ethereum through Tornado Cash following the exploit on December 20, 2021.
• The Visor Finance attacker sent approximately 110 Ethereum through Tornado Cash following the exploit on December 21, 2021.
• Over $600 million in cryptocurrency has been stolen in platform attacks in the first three weeks of December from BadgerDAO, BitMart, AscendEX, Vulcan Forged, Grim Finance, Monkey Kingdom, Fractualwagami, Visor Finance and Bent Finance.

Decentralized Finance (DeFi) platform Bent Finance announced on the evening of December 20, 2021, that it was investigating an exploit.

‍

A review of archived web versions of Bent Finance identified that the platform had undergone a previous audit with future audits planned.

TRM Labs’ investigation indicated the Bent Finance platform exploit may have began in early December based on on-chain flows connected to the attacker wallets. On December 9th, 2021,  the alleged attacker received two deposits from Tornado Cash. On December 12, 2021, the attacker began executing a withdrawal of 263kof cvxCRV from Bent Finance. Once the attacker was able to withdrawal 263k of cvxCRV, the attacker used a DeFi platform to swap to ETH before sending over 200 ETH to Tornado Cash. This exact process replicates on the evening of December 20, 2021 with an additional 240 ETH  sent to Tornado Cash for mixing.

‍

A post mortem posted by the Bent Finance team today indicates that a developer at the platform went rogue and injected an exploit during a recent upgrade to multisig wallets in late November.

As the Bent Finance dev team ramped up security processes by migrating contract ownership to multisig wallets, there was a brief timeframe when a developer had the opportunity to inject an exploit on two pools. This happened 3 days before multisig wallets were in place.

The on-chain flows by the Bent Finance attacker mimicked tactics utilized by the Visor Finance exploit that occurred the morning of December 21, 2021. According to the Visor.Finance team, an exploit of the vVISR staking contract was exploited.

‍

Review of on-chain flows confirmed the Visor exploit wallet was funded prior to the attack with a Tornado Cash deposit. Immediately after the exploit was executed, the attacker utilized DeFi protocols to swap for Ethereum before ultimately mixing through Tornado Cash.

TRM will continue to monitor on-chain attacker flows and update our systems so that TRM partners are automatically alerted of any exposure.

TRM Labs is the only tool with cross-chain analytics, which enables investigators to view cross chain swaps and multiple flows within one graph. Investigators can move seamlessly across blockchains to trace the flow of funds, visualize multi-layer relationships and drastically reduce investigation time with our proprietary technology for automated tracing. For more information, or to report leads contact us at investigations@trmlabs.com. Subscribe to our weekly insights here.

‍