Neutrl NUSD SY Internal Balance Redemption Exploit

On Ethereum mainnet, transaction 0x047fcfa2cfb51879f19769dd25e2768be42985f9c2d8f483f2a0c18703834061 (2026-02-04 13:49:23 UTC) used a Morpho flash loan to route through Pendle’s NUSD Standardized Yield (SY) integration and drain NUSD, then swap to USDC. The attacker’s EOA 0x1f36068728b86ae4d65249f6f1c8c62cfaeb0675 profited 45,907.95219 USDC after repaying the flash loan.

The attack vector is an access control / logic flaw in the SY redeem function that lets any caller set burnFromInternalBalance=true, burning the SY contract’s own balance and redeeming the underlying to an arbitrary receiver. In this transaction, the attacker induced the SY contract to hold large SY shares via Pendle market operations, then redeemed those shares to themselves without owning them.

The vulnerable contract is the SY-NUSD proxy at 0x29ac34026c369d21fe3b2c7735ec986e2880b347 (SY-NUSD). It resolves to implementation 0x25a6d3384b18c15fc61bc513a7612906d550489f via EIP-1967 slot 0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc.

The vulnerable function is redeem(address,uint256,address,uint256,bool) (selector 0x769f8e5d) in SYBaseUpg. The unguarded internal-balance branch is shown below:

function redeem(
    address receiver,
    uint256 amountSharesToRedeem,
    address tokenOut,
    uint256 minTokenOut,
    bool burnFromInternalBalance
) external nonReentrant returns (uint256 amountTokenOut) {
    if (!isValidTokenOut(tokenOut)) revert Errors.SYInvalidTokenOut(tokenOut);
    if (amountSharesToRedeem == 0) revert Errors.SYZeroRedeem();

    if (burnFromInternalBalance) {
        _burn(address(this), amountSharesToRedeem);
    } else {
        _burn(msg.sender, amountSharesToRedeem);
    }

    amountTokenOut = _redeem(receiver, tokenOut, amountSharesToRedeem);
    if (amountTokenOut < minTokenOut) revert Errors.SYInsufficientTokenOut(amountTokenOut, minTokenOut);
    emit Redeem(msg.sender, receiver, tokenOut, amountSharesToRedeem, amountTokenOut);
}

Flaw description:

  • Logic & semantics: burnFromInternalBalance is fully controlled by the caller and lacks any authorization checks, allowing redemption of address(this)’s SY balance to any receiver.
  • External dependencies: The attack uses Pendle Router calls to move SY shares into the SY contract’s own balance, then redeems them to NUSD. The router is permissionless and forwards the attacker-controlled burnFromInternalBalance=true flag.
  • Market interactions: The attacker swaps stolen NUSD into USDC through the NUSD/USDC pool 0x7e19f0253a564e026c63eeaa9338d6dbddef3b09.
  • Forensic tracing: Funds flow from the SY contract to the attacker (NUSD), then from the pool to the attacker (USDC), indicating a logic error rather than price manipulation.

Call flow (tx 0x047fcfa2...): EOA -> attack contract (0x87eb.../0x45c...) -> Morpho.flashLoan(USDC) -> PendleRouter -> SY.deposit(USDC) -> Pendle market ops -> SY.redeem(receiver=attacker, burnFromInternalBalance=true) -> NUSD/USDC pool swap -> Morpho repayment.

Evidence:

  • Morpho flash loan: event topic 0xc76f1b4f... emitted by 0xbbbbbbbbbb9cc5e90e3b3af64bdaf62c37eeffcb shows token=USDC and amount=182,145,484.26926 USDC transferred to 0x45c101be18670baa1fda8264fd3ae46525437871.
  • SY redeem with internal burn: trace shows 0x888888888889758f76e7103c6cbf23abbf58f946 -> 0x29ac34026c369d21fe3b2c7735ec986e2880b347 call 0x769f8e5d with params (receiver=0x45c101be..., amountShares=45,941.033730571790726398, tokenOut=NUSD, minTokenOut=0, burnFromInternalBalance=true).
  • NUSD transfer: Transfer log (topic 0xddf252ad...) in NUSD token 0xe556aba6fe6036275ec1f87eda296be72c811bce shows from=0x29ac34026c369d21fe3b2c7735ec986e2880b347 to 0x45c101be... amount 45,941.033730571790726398 NUSD.
  • USDC drain: Transfer log (topic 0xddf252ad...) in USDC token shows from=0x7e19f0253a564e026c63eeaa9338d6dbddef3b09 to 0x45c101be... amount 45,917.952191 USDC.

Financial impact:

  • 45,917.952191 USDC drained from the NUSD/USDC pool (≈$45.9k), representing the realized loss to pool LPs.
  • 45,931.037010071790726398 NUSD removed from the SY contract’s reserves (transfer out), weakening backing for the NUSD ecosystem.

Impact assessment:

  • Losses are borne primarily by NUSD/USDC LPs and the NUSD SY reserve; the protocol’s NUSD backing is reduced by ~45.9k NUSD-equivalent.
  • The attack did not require price manipulation; it exploited a permissionless internal-balance burn path in SYBaseUpg.redeem.

Related URLs: https://etherscan.io/tx/0x047fcfa2cfb51879f19769dd25e2768be42985f9c2d8f483f2a0c18703834061