Another decentralized finance exploit has resulted in an attacker making off with millions. This time around Yearn Finance is the victim.
A developer from Yearn Finance has reported that its v1 yDAI vault was exploited by a malicious actor in the early hours of Feb. 5. He added that the attacker got away with $2.8 million, and the vault lost $11 million.
Deposits into strategies have been disabled for version 1 DAI, TUSD, USDC, USDT vaults while the DeFi platform investigates. It appears that Curve Finance liquidity providers also benefitted from the attack to the tune of around $3 million.
Another Flash Loan Exploit
Research analyst Igor Igamberdiev broke down the incursion stating that the attacker executed eleven transactions beginning with a flash loan of 116,000 ETH from the dYdX exchange. A further 99,000 ETH was flash loaned from Aave v2, and this was then used as collateral to borrow 134 million USDC and 129 million Dai on the Compound Finance platform.
The attacker added the USDC and 36 million DAI to the 3crv Curve pool in order to withdraw 165 million USDT from it. This was repeated five times.
The remaining 93 million Dai was deposited in Yearn’s yDai vault and the 165 million USDT went into the 3crv pool. The funds were then withdrawn from the two pools after earning 3crv tokens with the last withdrawal being 39 million Dai and 134 million USDC instead of USDT. The Compound debt and the flash loan was then repaid.
“Each time the attacker had more 3crv tokens, which he was later able to swap for stablecoins.”
Aave founder Stani Kulechov tweeted that the attack was complex and involved over 160 transactions across multiple DeFi platforms costing over $5,000 in gas fees. Investor Julien Thevenard said that Curve Finance stakers received over $3 million from the exploit.
2020 saw multiple flash loan exploits similar to this one and the trend has continued into 2021. Yearn Finance has also recently re-launched its popular yETH vault, though yield farmers may be a little cautious following this incident.
YFI Price Dumps 12%
Yearn’s native YFI token has taken a hit on the news, dumping almost 12% over the past few hours. YFI had hit a local high of $34,950 according to CoinGecko but immediately dipped back below $30,000 briefly as reports of the attack emerged.
At the time of press, YFI was back to trading at $32,400, up 42% since the beginning of 2021. Curve DAO tokens have actually done the opposite, pumping 13% over the past 24 hours as CRV hits its highest price for over five months at $3.27.