The analysis of Nerve Bridge Security Incident

0x.1 Preface

On Nov 15th, 2021, our internal monitoring system caught suspicious flashloan transactions on BSC. After investigation, we found that it was an attack targeting Nerve Bridge, including the MetaPools of fUSDT and UST.

Figure 1: an example of attack transaction

0x2. Background

0x2.1 What is MetaPool?

Basically, Curve provides two kinds of stablecoin swap pools, i.e., Standard StableSwap Pool and MetaPool. The former is a fully AMM to create cross-markets between different stablecoins [1]. It is the most widely used type of pool, e.g., Curve.3pool, which consists of DAI, USDC and USDT. However, this pool cannot isolate the risk between stablecoins, which may lead to great losses for LP providers.

Figure 2: Neve.3pool

0x2.2 Source of the Vulnerable Code

Curve’s MetaPool is implemented in Vyper. To support the development of Solidity, Saddle.Finance’s dev team rewrite the code with Solidity. As the very beginning of this vulnerability, it has been forked and adopted by Synapse and Nerve, respectively. On Nov 6th, Synapse was attacked.

Figure 3: attack transactions targeting Synapse
  • MetaSwap: 0xd0fBF0A224563D5fFc8A57e4fdA6Ae080EbCf3D3
  • MetaSwapUtils: 0x91d1DBE983fBCbBAC198D5310f1d0C249bb54E65

0x3. Vulnerability Analysis

In MetaPool, there are two important functions, i.e., swap and swapUnderlying. Specifically, the former is used to swap the LP token and the pool stablecoin, while the latter is used to swap the pool stablecoin and the underlying stablecoins.

swap: _calculateSwap function
swapUnderlying: _calculateSwapUnderlying function

0x4. Attack Analysis

We will take the sample transaction ( as an example to illustrate the attack.

Figure 6: the five attack steps
  • Step 1: borrowing 50,000 BUSD using Flashloan from Fortube
  • Step 2: swapping 50,000 BUSD for 50,351 fUSDT from Ellipsis.
  • Step 3: invoking the swap function of MetaSwap to swap 50,351 fUSDT for 36,959 Nerve 3-LP with a relatively big slippage.
  • Step 4: invoking the removeLiquidityOneCoin function of Nerve.3pool with the LP tokens (received in the previous step) to remove the liquidity of BUSD, i.e., 37,071 BUSD.
  • Step 5: invoking the swapUnderlying function of MetaSwap to swap BUSD for fUSDT, and receiving 51,494 fUSDT.





Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


The BlockSec Team focuses on the security of the blockchain ecosystem and the research of crypto hack monitoring and blocking, smart contract auditing.