Academy Hot News Article

Yearn Finance Dai Vault Exploited For $11 Million, YFI Dumps

2021.02.05 0x6617


Attacker makes off with $2.8 million from Yearn Finance.

yDai vault exploited with another flash loan attack.

YFI prices slump 12% but CRV gains 15%.

Image via beincrypto

Another decentralized finance exploit has resulted in an attacker making off with millions. This time around Yearn Finance is the victim.

A developer from Yearn Finance has reported that its v1 yDAI vault was exploited by a malicious actor in the early hours of Feb. 5. He added that the attacker got away with $2.8 million, and the vault lost $11 million.

Deposits into strategies have been disabled for version 1 DAI, TUSD, USDC, USDT vaults while the DeFi platform investigates. It appears that Curve Finance liquidity providers also benefitted from the attack to the tune of around $3 million.

Yearn DAI v1 vault got exploited, the attacker got away with $2.8m, the vault lost $11m. Deposits into strategies disabled for v1 DAI, TUSD, USDC, USDT vaults while we investigate.

— banteg (@bantg) February 4, 2021

Another Flash Loan Exploit

Research analyst Igor Igamberdiev broke down the incursion stating that the attacker executed eleven transactions beginning with a flash loan of 116,000 ETH from the dYdX exchange. A further 99,000 ETH was flash loaned from Aave v2, and this was then used as collateral to borrow 134 million USDC and 129 million Dai on the Compound Finance platform.

The attacker added the USDC and 36 million DAI to the 3crv Curve pool in order to withdraw 165 million USDT from it. This was repeated five times.

The remaining 93 million Dai was deposited in Yearn’s yDai vault and the 165 million USDT went into the 3crv pool. The funds were then withdrawn from the two pools after earning 3crv tokens with the last withdrawal being 39 million Dai and 134 million USDC instead of USDT. The Compound debt and the flash loan was then repaid.

“Each time the attacker had more 3crv tokens, which he was later able to swap for stablecoins.”

Ok, new DeFi exploit.

Victim:– @iearnfinance

Attacker profit:– 513k DAI – 1.7M USDT

– remaining 506k 3CRV (~$1)

To obtain such a profit, the attacker executed 11 transactions.

Below is a very superficial explanation of what was happening in these transactions

— Igor Igamberdiev (@FrankResearcher) February 4, 2021

Aave founder Stani Kulechov tweeted that the attack was complex and involved over 160 transactions across multiple DeFi platforms costing over $5,000 in gas fees. Investor Julien Thevenard said that Curve Finance stakers received over $3 million from the exploit.

In this exploit, the arber got away with $2.8M and @CurveFinance stakers received over $3M …

— Julien Thevenard (@JulienThevenard) February 4, 2021

2020 saw multiple flash loan exploits similar to this one and the trend has continued into 2021. Yearn Finance has also recently re-launched its popular yETH vault, though yield farmers may be a little cautious following this incident. 

YFI Price Dumps 12%

Yearn’s native YFI token has taken a hit on the news, dumping almost 12% over the past few hours. YFI had hit a local high of $34,950 according to CoinGecko but immediately dipped back below $30,000 briefly as reports of the attack emerged.

At the time of press, YFI was back to trading at $32,400, up 42% since the beginning of 2021. Curve DAO tokens have actually done the opposite, pumping 13% over the past 24 hours as CRV hits its highest price for over five months at $3.27.

The original article from Beincrypto

Disclaimer: The Content is for informational purposes only, you should not construe any such information or other material as investment, financial, or other advice.