busd.curve.fi 29-02-2020

#Slippage transaction

https://etherscan.io/tx/0x8f102ad5cca37362084b86fd78d7f52a73d7bc9eb73f7e2ff482783831a6b5c8

0x44e59f7 does $445k Curve zap withdraw to USDC from the new busd.curve.fi pool (before it's announced) so there is only ~50k liquidity. 
Withdraws everything to USDC (after depositing equally in DAI, USDC, USDT, and BUSD)

There is only $25k USDC

$450k turns into $25k due to slippage

The "zap" (which is just a quick automation of txs), that I wrote, does not check for slippage

So now at this point, the pool is lopsided

0% USDC

Me and Mich notice the slippage trade

I contact one of our biggest whales for help, and ask him to execute these two trades;

#Pool Balance transactions

https://etherscan.io/tx/0xb129d3513596714f135d2834b8fb19d2b1dcdb4cb0f4303c41a0ef64b5f2f40c
https://etherscan.io/tx/0xa1f40542af9ec06ca1da9fdbad02e2335e26e965e8cd26f5c1fe8daa15ba8b89

So now he trades 89k USDC for 465k BUSD and 89k DAI for 134k USDT

After these two trades, the pool is stable

So no exploit on the iearn tokens or curve protocol

Just my zap that wasn't expecting someone to donate 100% of the pool and then try to withdraw 400% of 1

This was not developed by DefiZap and not related to their excellent product, if they wrote it they would have checked for slippage

We did get ahold of the first trader, and we have arranged for the funds back. We couldn't get everything

There was a mini trade inbetween (another user was interacting with the pool)

That did walk away with profit, he said he won't give it back unfortunately

But we have the 465k BUSD - 89k USDC and 134k USDT - 89k DAI to give back

Net results;

-$445,882 deposit
+$25,539 USDC
+$44,707 USDT (trade 2)
+$375,490 BUSD (trade 3)

So they technically lost $146.00