Incident Report for WePiggy — OEC Protocol CHE Market Abnormal Liquidation

WePiggy core development team is still investigating, any new information, we will update in this article.

Update time: December 24, 2021, 16:00

At present, WePiggy core development team has completed the writing of smart contracts, performed multi-signature operations, taken out the relevant assets in the protocol’s treasury, and convertred them into the corresponding assets lost by users, and converted them to the affected users.

The 3 users who suffered losses in this abnormal liquidation have clearly stated that they have received 100% compensation.

Next, the WePiggy community will do its utmost to continue the follow-up loss recovery work.

At the same time, we also hope to get more support and assistance from users in the whole crypto community. If direct and effective clues are provided to help the recovery work to be completed successfully, the WePiggy community will also provide corresponding remuneration.

Update time: December 18, 2021, 15:00

Dear WePiggy community, our partners and DeFi users:

Thank you for your feedback and assistance!

The incident investigation has made phased progress. The following is the CHE market incident report. For more information, we will also update it here.

WePiggy’s core development team is committed to building a safer and more robust DeFi ecosystem, and this goal requires a concerted effort from everyone!

Summary

At 5:21 (UTC+8) on DEC 15, 2021, WePiggy-OEC protocol experienced a short-term error in the CHE oracle, causing the CHE price in WePiggy to be much higher than the market price, and resulting in abnormal liquidations for users who borrowed CHE assets. Based on prices at the time of the incident, the total loss of user assets was approximately US$400,000.

Cause of the Accident

The WePiggy — OEC lending protocol has integrated with ExOracle provided by the OEC development community (the oracle is the primary oracle of OEC network).

ExOracle uses a multi-data source comprehensive price feed for mainstream currencies. Only WING and CHE are taken from a single data source, CoinMarketCap.

Starting in the early hours of December 15, 2021, CoinMarketCap’s price data began to show widespread errors. The price of a large number of cryptocurrencies including BTC, ETH, and CHE deviates from the real market price by several times or even thousands of times.

The price of CHE surged from the normal US$0.28 to a maximum of US$33,486,904.70. As a result, users who borrowed CHE on WePiggy-OEC were subjected to abnormal liquidation.

Examples of abnormal price feed:

CHE price 1,338,569.407887 USD
https://www.oklink.com/zh-cn/oec/tx/0x2A2368FDAC2305F971A5F16EA3A157095EC1AFD4F33A9C4625E37DAF214DE4C5

CHE price 33,486,904.695169 USD
https://www.oklink.com/zh-cn/oec/tx/0x8F3627E97CECDE49EDC7FB3B56E7DEED8A24DB9BA5D11F05AEEC4863DE0FCC6E

CHE price 4,950,040.381348 USD
https://www.oklink.com/zh-cn/oec/tx/0x58B5CC02DD208A3F5FED8EE47D78C25410FA67634125358B4965E86A322DB516

CHE price 273,004.50961 USD
https://www.oklink.com/zh-cn/oec/tx/0xC233B1E69B988C8484440AAB578AB5B22EF7E0502FC31CBA4DACCC4376B45C4C

CHE price 273,004.50961 USD
https://www.oklink.com/zh-cn/oec/tx/0x97CD60F0CEA60303A377FF555D0A8C8E15D97E8649448BCD276CE5FD73F58786

Who Was Affected?

The abnormal price data occurred between 5:21 and 6:00 (UTC+8) on December 15, 2021.

During this period, only 3 users of WePiggy-OEC who borrowed CHE were liquidated. Based on prices at the time of the incident, the total loss of user assets was approximately US$400,000.

WePiggy lending protocols on other networks all use Chainlink as primary oracle, so they are not affected by this event. Users can use them as normal.

Other markets in WePiggy-OEC lending protocol have not been affected. Users can use them as normal.

All abnormal liquidatin transaction information:

By analyzing the WePiggy-OEC protocol contract interactions within the time range of abnormal price feed, the abnormal liquidation tx as follows:

https://www.oklink.com/zh-cn/oec/tx/0xe9651ee34f1141a26f41eda222caa499f355e5b7c503eff8946a764eb7245295

https://www.oklink.com/zh-cn/oec/tx/0x07727fba60b9f1218bb5cd12e3607232c6ee8225aa7ae443121b37ba2e90f3c9

https://www.oklink.com/zh-cn/oec/tx/0xab489d069cf05168ec33fdd0a758bc542eb2e05dfa69f2da5c01a54c9a6f5319

https://www.oklink.com/zh-cn/oec/tx/0xec53bc8dc606ae03e4431c3f1154719d51e0f665ac55d26d31658460377a0122

https://www.oklink.com/zh-cn/oec/tx/0x9b1c3aef45f5c2f4eb1a12f9cd592dd238546d602a8b96a36f1a0835a7af9fe8

https://www.oklink.com/zh-cn/oec/tx/0x7ad59f192d5079a9968310a0636edd3c9a4d474309489a16cce63e1a812ca82e

https://www.oklink.com/zh-cn/oec/tx/0x77e49db8a73532ac05ef2cd8811a8a33e1937aa137d57a92ec04e22e7b4c95d2

https://www.oklink.com/zh-cn/oec/tx/0xb39401131776e010ab5f3705b6d88d6eb626c1f7d65bd797890469dd6610116c

https://www.oklink.com/zh-cn/oec/tx/0x57b7c6564b117c6ffb61bf9f12b8d6e20be2d5657afd5fee7aa7b8ad811151ab

Affected user address

By analyzing the above abnormal liquidation tx information shows that there are 3 affected user addresses:

0x15B8a631c3EaE390C9A4948046a93cF0e30dA07C
0x76179cc14A11c7aD82BC988EF0EbFd4f5fa69d40
0x53a8ba050EFb5f4d800711B157CF85E8C7C09e73

The loss of users

By analyzing the above abnormal liquidation tx information shows that the loss of users:

1.78975414 BTC
2.221780053 ETH
301,310.5381 USDT
173.6123858 OKT

According to the CoinGecko price data at the time of the incident, the total loss of user assets suffered by the abnormal liquidations was approximately US$400,000.

On-Chain Tx Analysis

Addresses related to abnormal liquidation

By analyzing the above tx information shows that the main liquidator addresses and liquidation contracts are as follows:

Liquidator addresses:
0x5deb50d149c720996e84784bb686035e689eb746
0x0af564c3c06f70752ea46ff19ddd4bad78f5e1ea

Fund collection address:
0xF8F181d466d44974257F9Ccf0cE8398B7e059054

Liquidation related contracts:
0x1f31aa48e67b50896f106109aa5705627d0aa5b7
0xcef579e5a278b56098a584fbff048ccabac22738

Fund flow after liquidation

1. Liquidator address 0x5deb50d149c720996e84784bb686035e689eb746 transfers 278,930.1369689195 USDT to Middle address 0x107061e106D019d42F429ef1d40f59a1EA12D732.

Related Tx info:
https://www.oklink.com/zh-cn/oec/tx/0x1260F9934B3AA1F456D6E4D626032F141FBB7D1E936785745EDA85A799B319DB

2. The middle address 0x107061e106d019d42f429ef1d40f59a1ea12d732 then transfers 278,930.1369689195 USDT to two HECO addresses 0x7e4D6200e131E4424755A30E4ebaf6D0dDb4b4f6 and 0x9De05af3fA7E41FCca5CC0037092c27d4aae6087 through AnySwap.

Related Tx info:
https://www.oklink.com/zh-cn/oec/tx/0xA4C3BAA853BE03280929AD4F626CF716B20F651B1A3B5F6192CFA061B45C10EC

https://www.oklink.com/zh-cn/oec/tx/0x4328478A87AB0C36E7FE6EBB7D3A5262765224A80AA9C730907C646071036A33

3. Address 0x7e4D6200e131E4424755A30E4ebaf6D0dDb4b4f6 transfers 139,463 USDT to the Ethereum mainnet address 0xA91855Ab6110A1D45F76F71A161fEd7E0bF5aD7B through AnySwap.

Related Tx info:
https://hecoinfo.com/tx/0x48ff3167b4baa208b288a43d860fbeeb3739b61a64e7f75cd3bc9096900991fd

4. Address 0x9de05af3fa7e41fcca5cc0037092c27d4aae6087 transfers 139,463 USDT to the Etheruem mainnet address 0xA91855Ab6110A1D45F76F71A161fEd7E0bF5aD7B through AnySwap.

Related Tx info:
https://hecoinfo.com/tx/0x74050973b319aefa740e3c2182f35c3bbea01ff02a7e0fb11424f2d30e1b80e0

5. On Etheruem mainnet, address 0xA91855Ab6110A1D45F76F71A161fEd7E0bF5aD7B transfers 278,647.074 USDT to address 0x500f0f0eb897fc9c23a6c7fb465a3692ece30030.

Related Tx info:
https://etherscan.io/tx/0xab6291e214025f81ebd3ddd585f59e5feeca0a2ec074fef259df19c6a0c655fb

Identity clues of the attackers on Etheruem mainnet

Address 0xA91855Ab6110A1D45F76F71A161fEd7E0bF5aD7B

a. Withdrawal Tx information sent from Huobi:
https://etherscan.io/tx/0x5a6e38bdd3e8fa1e091779c1b8b37e87c56f50afc33fd7c1aa0d5f9462a1c871

b. Withdrawal Tx information sent from Huobi:
https://etherscan.io/tx/0xfd240c876a8cb072a4a57f204f44dfc6dff93ab2a820f105322780f266394afb

c. Suspected Huobi personal account deposit address: 0xddE0b68EC01181c1d72C1602F2d799F37F42ae1d
(analyzed from: https://etherscan.io/address/0xdde0b68ec01181c1d72c1602f2d799f37f42ae1d)

d. Suspected Bybit personal account deposit address: 0x500f0f0EB897fc9c23A6c7fB465A3692eCe30030
(analyzed from: https://etherscan.io/tx/0xab6291e214025f81ebd3ddd585f59e5feeca0a2ec074fef259df19c6a0c655fb)

e. There have been multiple withdrawals from Binance to 0x500f0f0EB897fc9c23A6c7fB465A3692eCe30030
(analyzed from: https://etherscan.io/tx/0x8f4cf23440b7c2310c41fcbd60df9d063695d40701fd69b00f251f1329deefa0)

f. There was a withdrawal from MXC to 0x500f0f0EB897fc9c23A6c7fB465A3692eCe30030
(analyzed from: https://etherscan.io/tx/0xb274ef1b4b93801daa525e676fed517a1dd9b66386395932e0aab492f0b07891)

Identity clues of the attackers on HECO

1. Address 0x9de05af3fa7e41fcca5cc0037092c27d4aae6087

a. Transfer 4290 HT from 0x643529b5ab29729696d0ead3e28a36c51c2fe51b as the initial fund. Related tx information:
https://hecoinfo.com/tx/0x6257399328196ad22015600a4a47eb60a944adfa97c89febcc02dd43220a5c37

b. Address 0x643529b5ab29729696d0ead3e28a36c51c2fe51b withdrawal Tx information from Huobi:
https://hecoinfo.com/tx/0x31d12b1bd01cc37a933515d0a8bdb935c7e28681f1c0aa792920b8bd340adff4

2. Address 0x7e4D6200e131E4424755A30E4ebaf6D0dDb4b4f6

a. Transfer 0.001289 HT from 0x8c422da8c02bc2236ef54ee5adcea28b34e6da86 to 0x7e4D6200e131E4424755A30E4ebaf6D0dDb4b4f6. Related Tx information:
https://hecoinfo.com/tx/0x044fcdbf050a379cfb051f5c130cc7bc70e55018be59453ddcef4052583ac015

b. Transfer 3.0337654 HT from 0xa8a4f48f3dbc4cc7c9d66cae61f49c8d7f2e66ac to 0x8c422da8c02bc2236ef54ee5adcea28b34e6da86.
Related Tx information:
https://hecoinfo.com/tx/0x011cba749add132dec124280bf3e7f193087e36e2a1f586d8d4a870787bbc204

c. Address 0xa8a4f48f3dbc4cc7c9d66cae61f49c8d7f2e66ac withdrawal Tx information from Huobi:
https://hecoinfo.com/tx/0x44e5b827cc0022eaadcb55b958a010da094a9dc5ae083f7d432829debda50c06

Identity clues of the attacker on OEC

Address 0x5deb50d149c720996e84784bb686035e689eb746

Withdrawal Tx information from OKEx:
https://www.oklink.com/zh-cn/oec/tx/0x9EEB3FC26EAD2B7F540DCACED51C2F4FBBB2763932CE68C189A7BE1FF6B15C32

Emergency Risk Control Measures

1. After the incident, the WePiggy core development team quickly activated the emergency plan and pause the deposit and borrowing functions of CHE market on WePiggy — OEC protocol.
2. Proactively contacted the development team of ExOracle to report this price feed error, recommended them to contact other protocol developers that integrate the oracle immediately.
3. Before the new version of the CHE price strategy of ExOracle was completed, to prevent the further and higher loss, WePiggy’s self-developed oracle was enabled to provide price feed to the CHE market and related monitoring programs were initiated.
4. Proactively contacted the OEC node community and requested the nodes to temporarily freeze the addresses related to the abnormal liquidations, and received timely response and support from the OEC node community, part of funds were retained in the OEC network.
5. Contacted security partner SlowMist security team to collaboratively analyze the cause of the incident.
6. Proactively contacted the HECO node community and requested the nodes to temporarily freeze the addresses related to the abnormal liquidations. Before any assistance was obtained, the funds transferred from the HECO to Etheruem mainnet.
7. Posted an announcement to once again call on WePiggy-OEC protocol users to repay as soon as possible, disable CHE as collateral, and return CHE borrowings.

Enable the Emergency Plan

WePiggy’s core development team followed the scheduled “72-hour emergency plan” process, completed the analysis of on-chain information and emergency risk control for the protocol.

Then, WePiggy core development team has confirmed the identity of the users who suffer the loss in the abnormal liquidations, and reached an agreement with users on the amount of loss and the method of compensation.

Now, the compensation process has already been started first, regardless of whether the funds could be successfully recovered.

Sources of advanced funds

According to the size of the user’s affected funds, the following funds are used to pay in advance. If all the funds are not enough to advance the loss, it will be distributed to all the affected users in proportion to the asset loss.

1. The mining pool extra rewards in the early days of the protocol

2. Reserves in WePiggy lending protocol

3. The risk reserve part of WPC token distribution

The process of advancing user losses

1. The affected users submit requests
All affected users have submited requests for enabling reserves to advance losses to the WePiggy development team through social media.

2. On-chain identity verification
All affected users have sent on-chain information specified by the WePiggy development team to verify address ownership.

3. Sign the agreement off-chain
All affected users have provided their personal information and signed relevant agreements for the advance payment of losses.

4. Enable reserve to advance losses
WePiggy development team is writing smart contracts, performing multi-signing operations to take out the relevant assets in the protocol’s treasury and convert them into the corresponding assets lost by users and send them to the affected users.

Note:

With the support and assistance of the OEC node community, the ExOracle development team will provide financial support for the advance payment of losses together with WePiggy Protocol.

On behalf of the affected users and WePiggy community, we would like to express our sincere gratitude to them!

Follow-Up Improvement Plan

1. Strengthen the understanding and evaluation of third-party oracle’s price sources, pricing logic and price feeding methods;
2. Improve the risk assessment framework and raise the standards for new asset listing;
3. Monitor the liquidity level changes of the listed assets and adjust risk parameters in time;
4. Develop a risk control module for the lending protocol that can minimize the scale of abnormal liquidations even when the most authoritative third-party oracles experience price abnormalities.

Last But Not Least

Knowing is easy and doing is hard, DeFi is a free and open world. Often, all parties within the ecosystem are interdependent. Attacks against infrastructure such as oracles are not only limited to on-chain, but also supply chain attacks may be carried out through some weak off-chain data sources.

We recommend that users who use lending protocols, after fully understanding and evaluating the product characteristics of each “bank”, should distribute their assets as much as possible in different “banks” on different networks that you think are trustworthy. So as to spread out the risk, improve the anti-vulnerability, and avoid a single point of risk causing irreparable and huge losses for themselves.

To deal with the worst possibilities, we have made a “72-hour emergency plan” internally at the beginning of the launch, and even directly reserved a share of the risk reserve in the tokenomics to cover part of the losses suffered by users due to the attack. This incident also allowed us to get through the execution process of the entire emergency plan.

The plan may not be perfect, but the attitude of WePiggy’s core development team is clear: to act, to deliver, and to take responsibility in the face of emergencies, within our capabilities.

We also hope to get more understanding, support and assistance from the crypto community users to deal with this incident together and build a safer and robuster DeFi ecosystem together.

Finally, the WePiggy core development team would like to thank the SlowMist security team, the OEC node community, the ExOracle team, the Heco node community, and many friends and users for their support and help during the investigation of this incident. Thank you!

We sincerely hope that the owner of the address performing this abnormal liquidation would read this incident report, contact the WePiggy core development team through contact@wepiggy.com and return part of the assets to WePiggy protocol. Our community is also willing to provide some bounty for this.