Decentralized finance (DeFi) protocol yearn.finance‘s YFI sank more than USD 4,000 after one of its DAI lending pools was emptied of USD 11m in an exploit. (Updated at 15:48 UTC with Yearn’s vulnerability disclosure, Paolo Ardoino’s tweet, the latest price data.)
Yearn’s YFI governance token noticed an abrupt USD 4,190 drop last night. Though the price has slightly increased, it’s still weaker than yesterday’s levels. YFI is currently (15:47 UTC) trading at USD 32,671. It dropped 2.7% in the past 24 hours, while it’s still green in a week, appreciating 10%.
According to DeFi Pulse, Yearn’s absolute value locked saw a 3.5% drop since yesterday – from USD 507.8m to the current USD 490.5m.
“We have noticed the v1 yDAI vault has suffered an exploit. The exploit has been mitigated. Full report to follow,” addressed yearn.finance in their tweet last night.
Through a post from Yearn’s core developer, banteg, the hacker took USD 2.8m, while the vault lost USD 11m.
A couple of hours later, Banteg distributed a vulnerability disclosure, which validated that the DAI 11m of vault deposits were lost. Meantime, the hacker got away with an appraised DAI 2.7m profit – they profited by “holding a portion of the Curve 3pool during the attack, and withdrawing to a combination of USDT, DAI, and ETH,” addressed the team, continuing that,
“Acting in roughly 11 minutes, Yearn’s security team and multi-sig wallet signers were able to stop the exploit while it was underway, saving 24m DAI out of the vault’s total 35m DAI deposits.”
As claimed by yearn.finance, the exploit was done in the following steps:
- debalance the exchange rate between stablecoins in Curve’s 3CRV pool;
- make the yDAI vault deposit into the pool at an unfavorable exchange rate;
- reverse the imbalance caused in step 1;
- repeated this pattern in a series of 11 transactions executed over 38 minutes before being mitigated.
The statement said that “deposits into the strategy were effectively disabled, preventing further exploits from taking place.”
Meantime, stolen USDT 1.7m have been frozen, announced Tether Chief Technology Officer Paolo Ardoino.
As soon as the attack was announced to the public, some commenters believed that they might have identified the Ethereum (ETH) address in question, per which the vault was drained by using an AAVE flash loan.
Aave founder and CEO Stani Kulechov described this as a “complex exploit with over 160 nested transactions transactions and 8,6 mm gas used (around 75% of the block) resulted to 2.7 mm USD loss.”
Moreover, according to investor Julien Thevenard, liquidity providers on lending platform Curve Finance received over 3m of the stolen funds.
While Curve Finance didn’t comment on that, they said the Yearn team’s reaction to the incident was “impressive.”
This is far from the only exploit targeting DeFi platforms in the past year. Just recently, an exploit has been reportedly discovered on DeFi protocol yCredit launched by Yearn Finance Founder Andre Cronje. He did, nevertheless, caution that yCredit is experimental and can be “economically exploited.”
And millions were lost in various attacks last year, such as those on Value DeFi, box, Balancer, Akropolis, Harvest Finance, and others.
Meanwhile, CipherTrace, a crypto intelligence firm, recently said that DeFi-related crime is on the rise, and claimed that fraud still accounted for a whopping 73% of all crypto crime.
At the end of last year, industry insiders predicted that attacks on DeFi platforms and protocols — particularly new ones — will rise in 2021.
To get the latest Cryptocurrency, Blockchain, and Crypto-mining news, please join our Telegram Channel