Logic error, no access control
Before going forward, we need to note that Strictly-Scarce loves simplicity. So much so that Vether V3 had the ability to upgrade from V2 to V3 and skip an approval step, breaking from the ERC-20 standard.
You also need to know that Vether has a little used feature. You have the ability to exclude an address from the transfer fee of 10 basis points built into Vether. For most folks this is unnecessary, but this feature played a big role in the exploitation of Vether V3.
Feeling the pressures of a potential illegitimate grab of the remaining Vether V2, the community and dev pushed out V3. Unbeknownst to most upgraders, there was a fatal flaw created by the shortcut created for upgrading from V2 to V3.
By paying the 128 Vether fee, someone could control all of the Vether V3 using the flaw in the code. This came to light when someone anonymous (we’ll call this person “Anon”) bought Vether off Uniswap and then paid the 128 exclusion fee. They then claimed all the Vether in the Vether contract. About 900,000 Vether. They then dumped 150,000 Vether into Uniswap and pulled out ~15 Ethereum (not $900,000 as you may have read on Twitter). This devalued all Vether V3 and destroyed its value.
DISCLAIMER: While Zero Friction LLC has used the best efforts in aggregating and maintaining this database, Zero Friction LLC makes no representations or warranties with respect to the accuracy or completeness, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose.
Under no circumstances, shall Zero Friction LLC be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the dataset or information derived from our database.