VOW

The VOW Ecosystem Foundation holds a treasury of VOW but it does not offer an opinion on investing in VOW or any other crypto. It reminds visitors that all crypto, including VOW, is a high-risk investment and you should not expect to be protected if something goes wrong. You could lose all the money you invest.

Chapter 43 / 53· The Great Test

The Economic Attack

The Attack

On 13 August 2024, the ecosystem experienced one of the most significant disruptions in its history.

An economic attack exposed weaknesses that had not previously been fully understood.

The consequences were immediate.

Value was destroyed.

Markets reacted.

Confidence declined.

Uncertainty spread throughout the community.

For many participants, the experience was devastating.

Years of effort appeared to unravel within a matter of days.

The attack did not merely impact charts and market prices.

It affected people.

Real people.

People who had committed time, resources, energy and belief to the vision.

People who had spent years contributing to the ecosystem.

People who genuinely believed they were helping build something meaningful.

The economic damage was substantial.

The emotional damage was equally significant.

What Happened

The incident began during routine testing of the USD rate setter function on the vUSD contract. The function was being prepared to support the new lending pool and chainlink oracle mechanisms that were due to come online.

To verify the change end to end, the rate was amended and 1m VOW (about $1,000,000 at the time) was sent to the contract and burned. As expected, this produced 100m vUSD, which was also burned immediately after the test. The full change–test–revert window was only around 15 to 30 seconds.

Inside that brief window, in a malicious act that could not have been known about at the time, an automated bot detected the new rate, acquired roughly 20m VOW from Uniswap, and pushed those tokens through the contract. The transient rate produced nearly 2 billion vUSD. The bot then sold that vUSD straight back into the Uniswap pool. The automated bot had been set up 110 days prior, and had been funded by a Tornado Cash address — making it nearly impossible to identify the attacker.

The result was a sudden flood of vUSD vouchers into the open market. The underlying VOW supply had not increased — in fact 20m VOW had been removed from circulation by the exploiter — but the discount voucher supply had been pushed far beyond its intended level. Markets reacted instantly and confidence collapsed.

It is worth being clear about what this attack was and what it was not. It was not a breach of the VOW token. It was not a compromise of user wallets. It was an exploitation of a narrow timing window around a contract function during a live test. The protocol behaved as written. The lesson was that "as written" was not yet conservative enough.

We have several leads in the investigation as to who could have set up these contracts to attack the project and why — and analysis continues to this day to identify the perpetrator and bring them to justice.

Technical Breakdown

Independent security researchers at Certik subsequently published their own incident analysis. Their reconstruction lines up with the team's account and provides a useful external view of exactly how the exploit was executed on-chain.

Certik
Certik — VOW Incident Analysis
Independent on-chain reconstruction of the 13 August 2024 exploit
Read analysis →

On 13 August 2024, the VOW token was exploited for approximately $1.2 million. The usdRateSetter address (0xbA1be907f532Ff6bb0088279e0f3DCDdD693aC7c) in the VOW contract temporarily changed the exchange rate (usdRate) between VOW and vUSD from 1 to 100. A malicious actor exploited that transient rate to obtain vUSD at 100× the correct amount.

After the incident, the VOW team confirmed publicly on X that they were testing the USD rate setter function of the vUSD contract in order to prepare the new lending pool and oracle functions.

The attack contract had been deployed 110 days prior to the incident and executed within two blocks of the transaction that modified the usdRate. The usdRateSetter had performed similar operations on 22 November 2023 and 1 March 2024 — temporarily changing the rate to 150 and 200 respectively before reverting it to 1. None of those earlier changes were exploited, which suggests the attacker had been monitoring the address for some time and executed automatically as soon as the opportunity arose.

Addresses

  • Exploiter wallet: 0x48de6bF9e301946b0a32b053804c61DC5f00c0c3
  • Exploit contract: 0xB7F221e373e3F44409F91C233477ec2859261758

Step by step

Two blocks before the attack, the usdRateSetter set the usdRate to 100. Having detected the rate change, the attacker borrowed 1,486,625 VOW from the Uniswap VOW–WETH pool via flash loan and transferred them all to the VSCTokenManager contract in order to burn them in exchange for vUSD.

When the VSCTokenManager receives VOW tokens it calculates the amount of vUSD to mint using the current usdRate. With the rate set to 100, the attacker received 100 vUSD for every VOW burned — minting 148,662,529 vUSD from 1,486,625 VOW.

The attacker then used that vUSD to drain the VOW–vUSD pool, swapping ~148m vUSD for the 59m VOW sitting in the pool. They repaid 1,490,198 VOW to the VOW–WETH pool to close the flash loan, and used the remaining VOW to drain the VOW–USDT and VOW–WETH pools. In total they extracted approximately 175 ETH, 595k USDT and 5.8M VOW of the community's liquidity.

Communication

Throughout the incident the team chose transparency over silence. Updates were posted publicly, in real time, explaining what had happened, what was being done about it, and what holders should and should not do. The cadence and tone of those updates became part of how the ecosystem held together over the following weeks.

VOW community update, 13 August 2024: explanation of the incident during testing of the USD rate setter and the bot exploitation of the timing window.
13 August 2024 — first public explanation of the incident and immediate response.
VOW community update, 14 August 2024: VSR burn rate increased to 50% to reduce excess vUSD supply, ETH/BSC bridge suspended.
14 August 2024 — VSR burn rate raised to 50%, ETH/BSC bridge suspended, VOW Ecosystem Foundation buyback removes 700m+ vUSD from supply.
VOW community update, 15 August 2024: ecosystem partners working through options, ~100m vUSD already burned out of supply.
15 August 2024 — ecosystem partners working through paths forward; roughly 10% of excess supply already burned.
VOW community update, 16 August 2024: bridge reopening flushed remaining locked vUSD, market begins to recover, VSR continues burning supply.
16 August 2024 — the last locked vUSD clears the bridge, markets begin to stabilise, and the team warns holders about scammers exploiting the moment.

What Happened Next

Once the immediate market response had been managed, the question shifted from triage to direction. The VOW Ecosystem Foundation deliberately did not impose a unilateral fix. Instead, the path forward was put to the community in an on-chain vote, with the VOW Ecosystem Foundation's own tokens excluded so that the decision would rest entirely with independent holders.

VOW on-chain vote result, 4 October 2024: 97.55% in favour with over 15M VOW across 257 wallets, quorum reached without VOW Ecosystem Foundation tokens.
4 October 2024 — quorum reached with VOW Ecosystem Foundation tokens excluded; 97.55% of independent holders voted in favour of the recovery path.

With a clear mandate from the community, the recovery plan was put into motion. New vcurrency contracts were written from a clean slate, with the lessons of August designed in from the start — tighter controls around any privileged function, no live testing against production liquidity, and a more defensive posture around rate-setting paths.

The new contracts were then submitted for an independent smart contract audit by Hacken, one of the most established security firms in the industry. Although the original deployment was duly audited, this attack vector had not been identified in the original audit reports. Now, with the Hacken audit in place, an external, public review of the code underpins the next chapter of the ecosystem.

H
Hacken Smart Contract Audit
VOW vcurrency contracts — September 2024
View report →

With audited contracts in hand and a community mandate behind them, the path to recovery began.