Eleven Finance nerve Vault Bug
Flaw in Eleven Finance's nerveBUSD vault emergencyBurn/withdraw path let funds be withdrawn without burning shares, draining ~$4.5M on BNB Chain.
- Date
- Victim
- Eleven Finance
- Chain(s)
- Status
- Funds Stolen
In June 2021, the BNB Chain yield aggregator Eleven Finance lost approximately $4.5 million. A flaw in the emergencyBurn/withdraw path of its nerveBUSD vault let an attacker withdraw underlying funds without burning the corresponding vault shares, then re-use the still-valid shares to withdraw again, draining the vault.
What happened
The vault's emergency-withdraw path released underlying tokens but failed to burn/decrement the user's shares. The attacker withdrew, retained the shares, and repeated until the vault was empty (~$4.5M).
Why it matters
Eleven Finance is the "withdraw without burning shares" double-spend — structurally identical to Skyward Finance and the Platypus emergencyWithdraw class. The recurring lesson, in its purest form: on every withdrawal path — especially "emergency" ones — burn/decrement the claim before releasing the asset, no exceptions. Emergency functions are written fastest, reviewed least, and exempted (wrongly) from the discipline applied to normal-path functions; the catalogue shows them failing this way over and over.
Sources & on-chain evidence
- [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-eleven-finance-hack-june-2021
- [02]rekt.newshttps://rekt.news/eleven-finance-rekt