Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 055Oracle Manipulation

Vee Finance Oracle Slippage Bypass

Vee Finance on Avalanche lost $35M a week after launch when Pangolin price manipulation bypassed a slippage check with a decimals bug SlowMist had pre-flagged.

Date
Victim
Vee Finance
Chain(s)
Avalanche
Status
Funds Stolen

On September 21, 2021, the Avalanche lending protocol Vee Finance lost approximately $35 million8,804.7 ETH and 213.93 BTC — just one week after mainnet launch. The exploit chained an oracle manipulation with a decimals bug in the slippage-check math, completely bypassing the protections that should have caught it. SlowMist had flagged the single-oracle design in a pre-launch audit. The team did not act on the warning.

What happened

Vee Finance let users open leveraged trading positions, with the underlying swaps routed through Pangolin (Avalanche's largest DEX at the time). The protocol's safety mechanism was a slippage check that compared the expected execution price (from Pangolin's pool reserves) to the actual price reported by Vee's oracle.

Two issues compounded:

  1. The oracle was single-sourced from Pangolin's pool reserves — the same pool that the attacker could move with a swap. Any swap large enough to move Pangolin's price would also move the oracle's reported price.
  2. The slippage check had a decimals mismatch — the expected price and the oracle's reported price were compared without normalising their decimal scales correctly. The result: the check could be bypassed by a price manipulation that didn't even need to be precise.

The attack:

  1. Routed large trades through Pangolin to push prices on the relevant trading pairs.
  2. Opened a leveraged position on Vee Finance, using the manipulated price as input.
  3. Vee's slippage check, broken by the decimals bug, failed to revert — and the protocol executed the swap at a price far worse than its solvency assumed.
  4. Closed the position at the post-manipulation price, walking with the profit.

Repeated across multiple trading pairs, total drain: ~$35M.

Aftermath

  • Vee Finance paused operations and announced an investigation.
  • The team published a partial post-mortem but did not reimburse losses in full; the protocol effectively wound down its standing among Avalanche DeFi protocols.
  • Stolen funds were bridged and laundered; no public recovery.

Why it matters

Vee Finance is one of the cleanest examples of the cost of ignoring a pre-launch audit recommendation. SlowMist had specifically flagged the single-oracle dependency before mainnet. The team launched anyway, presumably because moving to a multi-source oracle architecture would have delayed the launch and the BTC/AVAX bull-run window was closing.

The deeper structural lesson is the recurring one: for lending and leveraged-trading protocols, the oracle is the trust boundary. A single-source oracle, no matter how respected the DEX it reads from, is one large swap away from being manipulated. The defensive answer — multi-source aggregation with Chainlink, time-weighted oracles, deviation guards, liquidity floors — was already well-known and well-documented in 2021. Vee paid $35M for the choice not to implement it.

Sources & on-chain evidence

  1. [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-vee-finance-hack-september-2021
  2. [02]decrypt.cohttps://decrypt.co/81400/avalanche-defi-platform-vee-finance-suffers-35m-hack
  3. [03]slowmist.medium.comhttps://slowmist.medium.com/the-main-cause-of-vee-finance-attack-52fc8e5fb13d

Related filings