Belt Finance Multi-Strategy Vault

On May 29, 2021, the BSC yield aggregator Belt Finance lost a combined ~$50 million from its beltBUSD multi-strategy vault — the attacker walked with $6.23 million in personal profit, with the remaining ~$43.8M in fees and slippage destroyed in the manipulation. The exploit was a textbook vault-share-price manipulation funded by $385 million in flash loans from PancakeSwap.

What happened

Belt Finance's beltBUSD vault was a multi-strategy aggregator: user deposits were split across several underlying yield strategies (Venus, Ellipsis, etc.). To value the vault's shares — and thus the redemption value of each user's position — Belt's contract calculated the total assets across all strategies and divided by the vault's share supply.

The fatal assumption: all strategies would be balanced. Belt's share-price math read only one strategy (Ellipsis) and extrapolated that the value of all other strategies could be derived from the Ellipsis read. Under normal market conditions this was approximately true; under adversarial manipulation it was catastrophic.

The attack:

1. Flash-borrowed 385 million BUSD from PancakeSwap.
2. Pumped the Ellipsis stablecoin pool with massive BUSD volume, distorting the pool's internal pricing in ways that pushed the reported strategy value upward.
3. The share-price calculation, reading the inflated Ellipsis number and extrapolating to all strategies, computed a higher per-share value than the vault's actual reserves supported.
4. Deposited a small amount of BUSD into the vault, then withdrew at the inflated share price — receiving more BUSD than they put in.
5. Repeated the cycle 8 times, each time extracting a portion of the vault's reserves.
6. Repaid the flash loan, walked with $6.23M profit.

The remaining ~$43.8M loss was not extracted by the attacker — it was destroyed through slippage and fee impact as the vault's share-price oscillation produced bad executions for legitimate users still holding positions.

Aftermath

• Belt Finance paused affected vaults and announced a compensation plan.
• Affected users saw their beltBUSD positions reduced by 21.36% and 4Belt pool positions by 5.51%.
• The team committed $3 million to a user compensation fund.
• The vulnerability was patched by replacing the "one strategy as proxy for all" share-price calculation with explicit aggregate reads.

Why it matters

Belt Finance illustrates a recurring DeFi pattern: share-price calculations that extrapolate from a sample to the whole are vulnerable to manipulation of the sampled component. The same structural issue has shown up across:

• Belt Finance (May 2021) — extrapolated Ellipsis-strategy value to whole vault.
• Harvest Finance (Oct 2020) — used current Curve YPool prices as proxy.
• Cream Finance (Oct 2021) — read yUSD price from Yearn vault directly.
• Lodestar Finance (Dec 2022) — assumed GlpDepositor share/asset ratio.

The defensive answer is conceptually simple but operationally demanding: share-price calculations must read each underlying position independently, not extrapolate. This costs gas and complexity; protocols that skip the cost have paid it later in real losses.

The "$50M total loss for $6.23M attacker profit" ratio is also instructive. Many DeFi exploits destroy more economic value than the attacker extracts — through fee-impact, slippage, depeg cascades, and trust-loss-driven bank runs. The headline theft number under-states the actual cost.