untitled design

DeFi project Yearn.Finance lost $ 11 million

Decentralized finance (DeFi) project Yearn.Finance announced tonight that one of its pools had been exploited and lost $ 11 million in assets.

“We found that the v1 yDAI repository was affected by an exploit. The exploit has been eliminated, ”the developers said via their official Twitter account.

 

“The Yearn DAI v1 storage was exploited, the organizer of the attack left with $ 2.8 million, the storage lost $ 11 million. Deposits in the v1 strategy for DAI, TUSD, USDC, USDT are disabled while we are investigating,” added the lead developer of Yearn.Finance later under the nickname banteg.

 

Yearn.Finance is a profitability aggregator and allows users to deposit assets into pools or so-called vaults, from where they are then distributed through other DeFi protocols to earn interest payments.

DeFi platform founder Aave Stani Kulechov pointed to the attacker’s transaction, which involved the use of multiple DeFi protocols and was worth over $ 5,000 in processing fees.

“A complex exploit with more than 160 nested transactions and 8.6 million units of used gas (about 75% of the block),” he wrote.

In particular, a service flash loan of the Aave protocol was used, which allows receiving an unlimited amount of assets without collateral, provided that they are returned in the same block. Investor Julien Thévenard also notesthat as a result of this operation, Curve Finance protocol stakers earned $ 3.5 million.

The first to pay attention to the problem were users on the Discord and Telegram channels. At 00:38 Moscow time, one of them wrote:

“Does anyone know why v1Dai shows that I have lost thousands of Dai in the last few minutes?”

After 01:00, the front-end v1 repositories on Yearn.Finance started showing a loss of 1,059%.

The attacked v1 DAI vault was updated to use new investment strategies last month. At the time of the attack, the storage was configured in such a way as to contribute all funds to the 3pool on the Curve DeFi platform. 3pool contains DAI, USDT and USDC and allows you to exchange stablecoins with each other with minimal exchange rate differences. Analyst Igor Igamberdiev explained the mechanics of what happened:

1. Borrow through flash loan 116,000 ETH on dYdX;
2. Borrow through flash loan 99,000 ETH on Aave v2;
3. Using ETH as collateral, borrow 134 million USDC and 129 million DAI through Compound;
4. Add 134 million USDC and 36 million DAI to the 3crv Curve pool;
5. Withdraw 165 million USDT from the 3crv Curve pool;
6. Repeat the following steps five times:
7. Add 93 million DAI to the yDAI repository (less and less each time);
8. Add 165 million USDT to the 3crv pool;
9. Withdraw 92 million DAI from the yDAI repository (less and less each time);
10. Withdraw 165 million USDT from the 3crv pool.
11. For the last time, withdraw 39 million DAI and 134 million USDC instead of USDT;
12. Pay off debt on Compound;
13. Redeem flash loan.

“Each time, the organizer of the attack got more and more 3crv tokens, which he was then able to exchange for stablecoins,” adds Igamberdiev. “It’s funny how many times he used flash loans.”

Yearn.Finance is at the forefront of the rise of the DeFi space that kicked off last summer. Over the past day, the YFI rate fell by 4.8% to $ 31,801.

You may also like

Get the latest

Stay Informed: Get the Latest Updates and Insights

 

Most popular